I'm not sure this is public yet. From post on Vendor-sec:
According to Ray Strode this is due to a flaw in the way xscreensaver
parses a call to getpwuid(getuid()), a local user can unlock the screen
using any password. It seems the call to getpwuid can return NULL in this
instance. I'm attaching Ray's patch.
This is fixed in 5.02 but a quick search of the Changelog didn't mention this explicitly.
drac please advise.
Could you attach the patch mentioned?
I'm working on upgrading xscreensaver as we speak but I would like to verify it really fixes this issue.
Created attachment 117844 [details, diff]
(In reply to comment #4)
> Created an attachment (id=117844) 
Confirming it's fixed in 5.02.
Samuli, is 5.x ready for stable marking?
Also I did you find any detailed public information about this yet?
(In reply to comment #6)
> Samuli, is 5.x ready for stable marking?
5.02 fixing this issue is ready to go stable, and bug 167688 should be marked duplicate of it.
> Also did you find any detailed public information about this yet?
Couldn't find any information about it.
Calling arch security liaisons. Please test and mark stable.
Bug #167688 will be duped once this goes public. I guess alpha and mips can unCC themselves from it though.
xscreensaver-5.01-nsfw.patch does not apply:
* Applying xscreensaver-5.01-nsfw.patch ...
* Failed Patch: xscreensaver-5.01-nsfw.patch !
* ( /usr/portage/x11-misc/xscreensaver/files/xscreensaver-5.01-nsfw.patch )
* Include in your bugreport the contents of:
Back to ebuild status to get this fixed.
(In reply to comment #10)
> Back to ebuild status to get this fixed.
Oops, overlooked patch used for USE="-offensive". Fixed patch is in CVS, thanks Corsair for not using offensive material. :-)
Back to stable again then :)
I'll get to it tomorrow, I just got back and need to recover from the trip
I'm not able to do the security stuff until 11th of May. For more information look at my devaway. Adding JeR to all security relevant bugs.
*** Bug 176913 has been marked as a duplicate of this bug. ***
Opening since this is public now and replacing arch security liasons with arches.
ia64 + x86 stable and removing security liaisons.
Stable for HPPA.
This one is ready for GLSA vote. I vote YES.
vote YES too.
s/A/B since it's under certain configurations only
mips has 5.03 stable, per Bug #195253.