Since we don't ship a stable compiz I'm not to sure about this one but it would likely be best if we get it fixed. --- =========================================================== Ubuntu Security Notice USN-537-1 October 23, 2007 gnome-screensaver vulnerability CVE-2007-3920 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: gnome-screensaver 2.20.0-0ubuntu4.2 After a standard system upgrade you need to restart your session to affect the necessary changes. Details follow: Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user's locked screen saver.
Sadly the ubunut announcement doesn't state if this fix is inside the upstream release. Does anyone know details?
Created attachment 134216 [details, diff] 05_locking_for_compiz.patch The bug is here: https://launchpad.net/bugs/145123 The patch is attached.
Seems like Ubuntu fixed it in wrong place anyway https://bugzilla.redhat.com/show_bug.cgi?id=350271
(In reply to comment #3) > Seems like Ubuntu fixed it in wrong place anyway > https://bugzilla.redhat.com/show_bug.cgi?id=350271 Lubomir, there's no movement on the RH bug. Do you have a patch for compiz?
Created attachment 135282 [details, diff] compiz-0.6.2-CVE-2007-3920.patch
Created attachment 135284 [details, diff] beryl-core-0.2.1-CVE-2007-3920.patch
Seems I asked too early, Ubuntu fixed this on the compiz side: http://www.ubuntu.com/usn/usn-537-2 Attached are the patch for Compiz, which applies cleanly, and a patch for beryl-core, which needed some changes. Hanno, Tsunam: Can you please test and apply the patch, check with upstream and advise whether Compiz Fusion or any other *compiz* ebuild is affected by this?
I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked tsunam and removed it, with updates to the corresponding cf-stuff. I think this should be everything?
(In reply to comment #8) > I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked > tsunam and removed it, with updates to the corresponding cf-stuff. Uhh.. no last-rites? > I think this should be everything? My guess would be that Compiz fusion is also affected, but I didn't dig through the code there. Can you advise on that?
No last rites, because mainly berly to compiz-fusion-transition is a renaming of various packages. All beryl stuff has it's equivalent in the compiz/cf-world. About the issue affecting cf: I don't think there is anything, because cf is not a wm/compositemanager itself. It's just a set of plugins and tools around compiz, as this fix affects the core, there shouldn't be any issues left.
noglsa then. (In reply to comment #10) > About the issue affecting cf: I don't think there is anything, because cf is > not a wm/compositemanager itself. It's just a set of plugins and tools around > compiz, as this fix affects the core, there shouldn't be any issues left. Out of curiosity: Who provides the functionality then? If cf can replace beryl, it can't be removed totally, can it?
