Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213940 (CVE-2008-0887) - gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CVE-2008-0887)
Summary: gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CV...
Status: RESOLVED FIXED
Alias: CVE-2008-0887
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-19 19:09 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-09 14:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gnome-screensaver-CVE-2008-0887.patch (gnome-screensaver-CVE-2008-0887.patch,7.78 KB, patch)
2008-03-19 19:13 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
gnome-screensaver-2.20.0-r3.ebuild (gnome-screensaver-2.20.0-r2.ebuild,2.99 KB, text/plain)
2008-03-24 19:18 UTC, Gilles Dartiguelongue (RETIRED)
no flags Details
gnome-screensaver-2.22.0-r1.ebuild (gnome-screensaver-2.22.0.ebuild,2.96 KB, text/plain)
2008-03-24 19:19 UTC, Gilles Dartiguelongue (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 19:09:17 UTC
Josh Bressers writes:

We received a bug report regarding a flaw in the manner which
gnome-screensaver behaves when using a network authentication scheme, and
the network vanishes.

The testing was done using NIS.

Here is the reproducer reported via our bug:

    Steps to Reproduce:

    1. Configure machine to be NIS server per:
       http://kbase.redhat.com/faq/FAQ_43_5684.shtm
    2. Configure a NIS client using system-config-authentication
    3. Login to GNOME desktop with NIS-only user.
    4. Lock the screen
    5. Stop the NIS server (customer disconnected network cable in his
       test)
    6. Press return in lock window.  Press cancel.
    7. Screen unlocks with no passwd prompt.

CVE-2008-0887 has been assigned to this issue.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 19:12:09 UTC
Mart, Saleem, this issue is under embargo until 2008-04-02. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-19 19:13:38 UTC
Created attachment 146599 [details, diff]
gnome-screensaver-CVE-2008-0887.patch

upstream patch
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-03-24 19:18:44 UTC
Created attachment 147162 [details]
gnome-screensaver-2.20.0-r3.ebuild

here is the ebuild for gnome 2.20
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-03-24 19:19:29 UTC
Created attachment 147163 [details]
gnome-screensaver-2.22.0-r1.ebuild

and the one for gnome 2.22 (which is still masked)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:26:40 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.

=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-03-25 12:56:47 UTC
Sparc seems to be OK.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-25 20:01:23 UTC
x86 happy saving lots of screens
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-25 20:46:35 UTC
OK for HPPA.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-03-26 07:30:18 UTC
looks good on ppc64
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 17:18:41 UTC
Gilles &co, this will go public tomorrow at 14:00 UTC. You can commit after that date with the stable keywords gathered in this bug.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-02 12:47:26 UTC
public a little earlier, please commit.
Comment 12 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-04-02 14:05:59 UTC
ebuilds are in CVS.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-04-02 14:13:12 UTC
Arches, please test and mark stable:
=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Already stabled : "hppa ppc64 sparc x86"
Missing keywords: "alpha amd64 ia64 ppc release"
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-04-02 18:40:59 UTC
alpha/ia64 stable
Comment 15 Markus Meier gentoo-dev 2008-04-02 19:33:53 UTC
amd64 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-03 20:12:55 UTC
ppc stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-04-03 22:43:13 UTC
GLSA vote: YES
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-04-04 05:21:08 UTC
Fixed in release snapshot.
Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-09 17:17:55 UTC
Surprisingly that sounds very similar to http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml

Voting Yes. Let's do it
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-09 14:28:41 UTC
This was GLSA 200804-12