Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196878 (CVE-2007-3920) - x11-wm/compiz x11-wm/beryl-core gnome-screensaver password bypass (CVE-2007-3920)
Summary: x11-wm/compiz x11-wm/beryl-core gnome-screensaver password bypass (CVE-2007-3...
Status: RESOLVED FIXED
Alias: CVE-2007-3920
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.ubuntu.com/usn/usn-537-1
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-24 06:08 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-11-06 10:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
05_locking_for_compiz.patch (05_locking_for_compiz.patch,548 bytes, patch)
2007-10-24 11:14 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
compiz-0.6.2-CVE-2007-3920.patch (compiz-0.6.2-CVE-2007-3920.patch,1019 bytes, patch)
2007-11-06 00:00 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
beryl-core-0.2.1-CVE-2007-3920.patch (beryl-core-0.2.1-CVE-2007-3920.patch,1003 bytes, patch)
2007-11-06 00:00 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-10-24 06:08:12 UTC
Since we don't ship a stable compiz I'm not to sure about this one but it would likely be best if we get it fixed.

---
=========================================================== 
Ubuntu Security Notice USN-537-1           October 23, 2007
gnome-screensaver vulnerability
CVE-2007-3920
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  gnome-screensaver               2.20.0-0ubuntu4.2

After a standard system upgrade you need to restart your session to affect
the necessary changes.

Details follow:

Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus.  A local
attacker could exploit this to bypass the user's locked screen saver.
Comment 1 Hanno Boeck gentoo-dev 2007-10-24 10:14:44 UTC
Sadly the ubunut announcement doesn't state if this fix is inside the upstream release. Does anyone know details?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-24 11:14:34 UTC
Created attachment 134216 [details, diff]
05_locking_for_compiz.patch

The bug is here:
https://launchpad.net/bugs/145123

The patch is attached.
Comment 3 Lubomir Rintel 2007-10-25 23:23:01 UTC
Seems like Ubuntu fixed it in wrong place anyway
https://bugzilla.redhat.com/show_bug.cgi?id=350271
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 22:52:10 UTC
(In reply to comment #3)
> Seems like Ubuntu fixed it in wrong place anyway
> https://bugzilla.redhat.com/show_bug.cgi?id=350271

Lubomir, there's no movement on the RH bug. Do you have a patch for compiz?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 00:00:12 UTC
Created attachment 135282 [details, diff]
compiz-0.6.2-CVE-2007-3920.patch
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 00:00:35 UTC
Created attachment 135284 [details, diff]
beryl-core-0.2.1-CVE-2007-3920.patch
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 00:07:26 UTC
Seems I asked too early, Ubuntu fixed this on the compiz side:
  http://www.ubuntu.com/usn/usn-537-2

Attached are the patch for Compiz, which applies cleanly, and a patch for beryl-core, which needed some changes.

Hanno, Tsunam: Can you please test and apply the patch, check with upstream and advise whether Compiz Fusion or any other *compiz* ebuild is affected by this?
Comment 8 Hanno Boeck gentoo-dev 2007-11-06 01:08:52 UTC
I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked tsunam and removed it, with updates to the corresponding cf-stuff.

I think this should be everything?
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 01:17:41 UTC
(In reply to comment #8)
> I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked
> tsunam and removed it, with updates to the corresponding cf-stuff.

Uhh.. no last-rites?

> I think this should be everything?

My guess would be that Compiz fusion is also affected, but I didn't dig through the code there. Can you advise on that?
Comment 10 Hanno Boeck gentoo-dev 2007-11-06 09:46:08 UTC
No last rites, because mainly berly to compiz-fusion-transition is a renaming of various packages. All beryl stuff has it's equivalent in the compiz/cf-world.

About the issue affecting cf: I don't think there is anything, because cf is not a wm/compositemanager itself. It's just a set of plugins and tools around compiz, as this fix affects the core, there shouldn't be any issues left.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 10:05:26 UTC
noglsa then.

(In reply to comment #10)
> About the issue affecting cf: I don't think there is anything, because cf is
> not a wm/compositemanager itself. It's just a set of plugins and tools around
> compiz, as this fix affects the core, there shouldn't be any issues left.

Out of curiosity: Who provides the functionality then? If cf can replace beryl, it can't be removed totally, can it?