Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 440776 (CVE-2012-4524)

Summary: <x11-misc/xlockmore-5.41: Screensaver crash (screen lock bypass) when 'dclock' mode used (CVE-2012-4524)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: desktop-misc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2012/10/17/10
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-01 16:16:29 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=867908 :

A denial of service flaw was found in the way xlockmore, X screen lock and screen saver, performed 
passing arguments to underlying localtime() call, when the 'dlock' mode was used. An attacker could 
use this flaw to potentially obtain unauthorized access to screen / graphical session, previously 
locked by another user / victim.

CVE request (containing also patch proposal):
[1] http://www.openwall.com/lists/oss-security/2012/10/17/10
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-02 16:28:36 UTC 
5.41
  ...
  dclock: fix for segmentation violation noticed on NetBSD and now more Y2038
    safe thanks to Ignatios Souvatzis <is AT netbsd.org>.
  ...

Arch teams, please test and mark stable:
=x11-misc/xlockmore-5.41
Stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86
Comment 2 Anthony Basile gentoo-dev 2012-11-02 22:46:57 UTC 
stable ppc ppc64
Comment 3 Agostino Sarubbo gentoo-dev 2012-11-03 15:35:21 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-03 17:00:43 UTC 
Stable for HPPA.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-11-11 16:35:37 UTC 
alpha/sparc/x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 11:43:19 UTC 
Thanks, everyone.

GLSA vote: yes.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:04:32 UTC 
Vote: yes, GLSA request created.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-09-02 09:33:05 UTC 
This issue was resolved and addressed in
 GLSA 201309-03 at http://security.gentoo.org/glsa/glsa-201309-03.xml
by GLSA coordinator Sergey Popov (pinkbyte).