[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 12 Feb 2010 15:14:56 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: gnome-screensaver vulnerability (CVE-2010-0414)
* [2010-02-08 09:48:22 -0700] Vincent Danen wrote:
>This is a heads up on a gnome-screensaver issue that was fixed upstream
>today.
>
>In version 2.28, it is possible to circumvent the security of screen
>locking functionality by changing the physical monitor configuration.
>
>Details are available in our bugzilla, along with the patch being used
>by upstream to correct the issue:
>
>https://bugzilla.redhat.com/show_bug.cgi?id=562217
>
>We have assigned CVE-2010-0414 to this issue.
>
>The code that caused this issue went into gnome-screensaver during the
>2.24 development cycle, but auto-configuration of hotplugged monitors
>didn't show up until 2.28, and that is a pre-requisite for triggering
>the bug, so only 2.28 is vulnerable.
>
>References:
>
>http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950
>https://bugzilla.gnome.org/show_bug.cgi?id=609337
A similar issue was also just found. We have assigned CVE-2010-0422 to
the new flaw that is similar to this.
https://bugzilla.redhat.com/show_bug.cgi?id=564464
https://bugzilla.gnome.org/show_bug.cgi?id=609789
There are links to the upstream commits in the gnome bug report.
As with the previous issue, this one also only affects version 2.28.
--
Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
