Bug 632978 (CVE-2009-4996)

Summary: CVE-2009-4996 Xfce-session4: Screen not locked after resume from suspend / hibernate launched from xfce4-session-logout
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: christoph.wickert, collura, hwj, kevin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:11:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 525395, 587633, 614608    
Bug Blocks:    

Description Jan Lieskovsky 2010-09-12 10:34:47 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4996 to
the following vulnerability:

** DISPUTED **

Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend
or hibernate button is pressed, which might make it easier for
physically proximate attackers to access an unattended laptop via a
resume action, a related issue to CVE-2010-2532. NOTE: there is no
general agreement that this is a vulnerability, because separate
control over locking can be an equally secure, or more secure,
behavior in some threat environments.

References:
[1] http://bugzilla.xfce.org/show_bug.cgi?id=4805
[2] https://bugzilla.redhat.com/show_bug.cgi?id=525395
[3] https://bugzilla.redhat.com/show_bug.cgi?id=587633
[4] https://bugzilla.redhat.com/show_bug.cgi?id=614608
Comment 1 Christoph Wickert 2010-09-12 11:26:57 UTC 
Who requested this CVE? Has there been any attempt to contact upstream? If not, why doesn't RH Security response not do this?
Comment 2 Jan Lieskovsky 2010-09-12 11:51:04 UTC 
Hi Christoph,

  this CVE was assigned recently by Mitre:
[1] http://cve.mitre.org/

The very only purpose this Red Hat Bugzilla entry has been filed for is
to track the particular CVE id for future purpose (for case some of the
customers will ask for information regarding it) and perform its further
research (to determine if the described behavior can impersonate a security
threat).

It is possible after the research is complete, this bug will be closed
(with appropriate resolution). But till that moment we need to track
it and need a way how to reference it.

Hope this helps.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 3 Christoph Wickert 2010-09-12 12:02:06 UTC 
Thanks for your reply, Jan.

(In reply to comment #2)
>   this CVE was assigned recently by Mitre:

AFAIK there usually is somebody to *request* the CVE from Mitre before it gets actually assigned. I would have expected this person to contact upstream first (which I did in the meantime).
Comment 4 Christoph Wickert 2011-06-17 23:24:42 UTC 
Jan, can you tell me who actually requested the CVE?
Comment 5 Jan Lieskovsky 2011-06-20 09:26:35 UTC 
Hi Christoph,

  unfortunately I can't. We found out about this report from new CVE-2009-4996
CVE identifier description from the Mitre CVE database, once it was assigned.

So I do not know on which basis this was assigned.

But when looking at the CVE-2009-4996 references:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4996

it looks the earliest entry, which (probably) went to CVE assignment is the
upstream bug report:
[2] https://bugzilla.xfce.org/show_bug.cgi?id=4805

But you can privately check with Steven Christey of Mitre to be definitely
sure about the catalyst which went to the assignment.

Hope this helps. Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

(In reply to comment #4)
> Jan, can you tell me who actually requested the CVE?
Comment 6 hwj 2023-08-21 00:18:37 UTC 
A solution make be from this other related solution:  https://github.com/linuxmint/cinnamon/issues/4324#issuecomment-1685426989