Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Mar 2010 10:09:58 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>,
	coley@...re.org
Subject: Re: CVE Request: gnome-screensaver termination by pressing "Enter"


Can someone, Stephen, assign a CVE id please?

Ciao, Marcus

On Fri, Feb 12, 2010 at 10:53:24AM +0100, Marcus Meissner wrote:
> Hi,
> 
> Yesterday an article was published by Heise News (a german IT magazine)
> that said that the Gnome Screensaver in openSUSE 11.2 is unlockable by
> just pressing the "return" key for some time.
> 
> The issue as far as we know is the following:
> 
> The unlock dialog shakes if you enter the wrong password. On the last try,
> this dialog is also hidden again (so screen is blanked).
> 
> There is race condition between these two actions which can lead to an X error
> which aborts the screensaver (and so unlocks the screen).
> 
> It is fixed in gnome-screensaver 2.28.1 release.
> 
> References:
> 
> The fixing commit in the 2.28 branch:
> http://git.gnome.org/browse/gnome-screensaver/commit/?h=gnome-2-28&id=98f8a22412cf388217fd5b88915eadd274d68520
> 
> The news article (in german):
> http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-928580.html
> 
> The GNOME upstream bug:
> http://bugzilla.gnome.org/show_bug.cgi?id=598476
> 
> I think this does not have a CVE id yet, so please someone allocate one.
> 
> I am not sure when this shaking was introduced, but it might be pretty new.
> 
> Ciao, Marcus

-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ