Since we don't ship a stable compiz I'm not to sure about this one but it would likely be best if we get it fixed.
Ubuntu Security Notice USN-537-1 October 23, 2007
A security issue affects the following Ubuntu releases:
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
After a standard system upgrade you need to restart your session to affect
the necessary changes.
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver.
Sadly the ubunut announcement doesn't state if this fix is inside the upstream release. Does anyone know details?
Created attachment 134216 [details, diff]
The bug is here:
The patch is attached.
Seems like Ubuntu fixed it in wrong place anyway
(In reply to comment #3)
> Seems like Ubuntu fixed it in wrong place anyway
Lubomir, there's no movement on the RH bug. Do you have a patch for compiz?
Created attachment 135282 [details, diff]
Created attachment 135284 [details, diff]
Seems I asked too early, Ubuntu fixed this on the compiz side:
Attached are the patch for Compiz, which applies cleanly, and a patch for beryl-core, which needed some changes.
Hanno, Tsunam: Can you please test and apply the patch, check with upstream and advise whether Compiz Fusion or any other *compiz* ebuild is affected by this?
I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked tsunam and removed it, with updates to the corresponding cf-stuff.
I think this should be everything?
(In reply to comment #8)
> I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked
> tsunam and removed it, with updates to the corresponding cf-stuff.
Uhh.. no last-rites?
> I think this should be everything?
My guess would be that Compiz fusion is also affected, but I didn't dig through the code there. Can you advise on that?
No last rites, because mainly berly to compiz-fusion-transition is a renaming of various packages. All beryl stuff has it's equivalent in the compiz/cf-world.
About the issue affecting cf: I don't think there is anything, because cf is not a wm/compositemanager itself. It's just a set of plugins and tools around compiz, as this fix affects the core, there shouldn't be any issues left.
(In reply to comment #10)
> About the issue affecting cf: I don't think there is anything, because cf is
> not a wm/compositemanager itself. It's just a set of plugins and tools around
> compiz, as this fix affects the core, there shouldn't be any issues left.
Out of curiosity: Who provides the functionality then? If cf can replace beryl, it can't be removed totally, can it?