Bug 441451 (CVE-2008-1683)

Summary: CVE-2008-1683 xscreensaver: fails to start if NIS authentication is used and network is unavailable
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jwz, mtasaka, rstrode
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1683
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:57:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-08 07:24:35 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1683 to the following vulnerability:

xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits if this server is unavailable as the xscreensaver process is starting, which allows physically proximate attackers to gain access to a workstation session for which locking was intended, a related issue to CVE-2007-1859.

Refences:
https://bugzilla.redhat.com/show_bug.cgi?id=435773
Comment 1 Mamoru TASAKA 2008-04-08 07:36:41 UTC 
CC-ing to jwz.
Comment 2 Jamie Zawinski 2008-04-08 09:01:54 UTC 
This was fixed in 2005 or something. If Red Hat would stop shipping xscreensaver 4.24, I might get to 
stop hearing about this someday.
Comment 3 Mamoru TASAKA 2008-04-08 09:51:52 UTC 
(In reply to comment #0)
> xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits
if this server is unavailable as the xscreensaver process is starting, 

> Refences:
> https://bugzilla.redhat.com/show_bug.cgi?id=435773

Well, I don't use NIS, however do you mean 
https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says
- The system uses NIS authentication
- The network connection to NIS happens to start
- _After_ this disconnenction happens a user tries to start xscreensaver
- Then xscreensaver refuses to start.

(again I don't use NIS, so I am just guessing what is happening)
As far as I read bug 435773, xscreensaver refuses  to start at
the lines 1520-1521 of src/xscreensaver.c, however IMO this is perhaps
what xscreensaver just expects.

Note that Fedora-8 xscreensaver is now 5.05.
Comment 4 Mamoru TASAKA 2008-04-08 09:54:56 UTC 
(In reply to comment #3)
> Well, I don't use NIS, however do you mean 
> https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says
> - The system uses NIS authentication
> - The network connection to NIS happens to start

  This line should read as "The network connection to NIS happens to
  stop"...

> - _After_ this disconnenction happens a user tries to start xscreensaver
> - Then xscreensaver refuses to start.
>
Comment 5 Vincent Danen 2010-12-23 16:57:57 UTC 
MITRE's description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0887. Reason: This candidate is a duplicate of CVE-2008-0887. Notes: All CVE users should reference CVE-2008-0887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.