Date: Fri, 5 Mar 2010 10:09:58 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com>, coley@...re.org Subject: Re: CVE Request: gnome-screensaver termination by pressing "Enter" Can someone, Stephen, assign a CVE id please? Ciao, Marcus On Fri, Feb 12, 2010 at 10:53:24AM +0100, Marcus Meissner wrote: > Hi, > > Yesterday an article was published by Heise News (a german IT magazine) > that said that the Gnome Screensaver in openSUSE 11.2 is unlockable by > just pressing the "return" key for some time. > > The issue as far as we know is the following: > > The unlock dialog shakes if you enter the wrong password. On the last try, > this dialog is also hidden again (so screen is blanked). > > There is race condition between these two actions which can lead to an X error > which aborts the screensaver (and so unlocks the screen). > > It is fixed in gnome-screensaver 2.28.1 release. > > References: > > The fixing commit in the 2.28 branch: > http://git.gnome.org/browse/gnome-screensaver/commit/?h=gnome-2-28&id=98f8a22412cf388217fd5b88915eadd274d68520 > > The news article (in german): > http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-928580.html > > The GNOME upstream bug: > http://bugzilla.gnome.org/show_bug.cgi?id=598476 > > I think this does not have a CVE id yet, so please someone allocate one. > > I am not sure when this shaking was introduced, but it might be pretty new. > > Ciao, Marcus -- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ