Bug 564572 (CVE-2009-4641)

Summary: CVE-2009-4641 gnome-screensaver: missing session inhibit removal
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cschalle, mclasen, rstrode
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=600488
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:10:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 564574    
Bug Blocks:    

Description Jan Lieskovsky 2010-02-13 12:53:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4641 to
the following vulnerability:

gnome-screensaver 2.28.0 does not resume adherence to its activation
settings after an inhibiting application becomes unavailable on the
session bus, which allows physically proximate attackers to access an
unattended workstation on which screen locking had been intended.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4641
  https://bugzilla.gnome.org/show_bug.cgi?id=600488
  https://launchpad.net/bugs/411350
  http://www.ubuntu.com/usn/USN-866-1

Upstream patch:
  http://git.gnome.org/browse/gnome-screensaver/commit/?id=284c9924969a49dbf2d5fae1d680d3310c4df4a3
Comment 2 Jan Lieskovsky 2010-02-13 12:58:11 UTC 
This issue affects the version of gnome-screensaver package, 
as shipped with Red Hat Enterprise Linux 5.

This issue affects the version of the gnome-screensaver package,
as shipped with Fedora release of 11.

This issue does NOT affect the version of the gnome-screensaver
package, as shipped with Fedora release of 12 -- current
gnome-screensaver-2.28.1-2.fc12 already contains fix for this flaw.
Comment 4 Ray Strode [halfline] 2010-03-16 17:43:55 UTC 
RHEL 5 is not affected by this issue.  Some time after RHEL 5, the inhibiting interface was moved to gnome-session from gnome-screensaver, and a compat shim was put in place in gnome-screensaver to keep the old interface working.

This compat shim had a bug in it which is the root of

https://bugzilla.gnome.org/show_bug.cgi?id=600488

Since RHEL5 predates the inhibiting interface migration to gnome-session and predates the compat shim, it is uneffected.
Comment 5 Tomas Hoger 2010-03-17 08:02:39 UTC 
Ray, thank you for clarification!
Comment 6 Rakesh Pandit 2010-05-29 10:36:29 UTC 
This must already be in latest stable releases for fedora at least.