|Summary:||CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)|
|Product:||[Other] Security Response||Reporter:||Henrique Martins <fedora>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||xscreensaver-5.13-3.fc15||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-05-13 23:13:21 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Henrique Martins 2011-05-10 13:47:26 UTC
Description of problem: Latest xscreensaver exits when activated leaving screens unlocked, big security risk if one doesn't notice it and relies on it to lock the screen Version-Release number of selected component (if applicable): kernel-devel-126.96.36.199-90.fc14 both i686 and x86_64 How reproducible: Every single time Steps to Reproduce: 1. start xscreensaver 2. activate with xscreensaver-command -lock Actual results: xscreensaver exits with error message (or similar): xscreensaver: <timestamp>: X Error! PLEASE REPORT THIS BUG. xscreensaver: <timestapm>: screen 0/0: 0xfa, 0x0, 0x1e00001 ########################################################### X Error of failed request: BadMatch (invalid parameter attributes) Major opcode of failed request: 132 (DPMS) Minor opcode of failed request: 6 (DPMSForceLevel) .... Expected results: screen locked Additional info: Previous version worked fine
Comment 1 Henrique Martins 2011-05-10 13:50:04 UTC
Sorry cut & pasted version from VNC didn't work! Actual version-release number is: xscreensaver-5.13-1.fc14 both i686 and x86_64
Comment 2 Mamoru TASAKA 2011-05-10 14:10:04 UTC
Does not seem to be reproducible with me (although I am using F-15). Would you do the following? Thank you. - Attach /etc/X11/xorg.conf (if any), and /var/log/Xorg.0.log - Attach ~/.xscreensaver - Once kill xscreensaver with $ xscreensaver-command -exit , and attach the output of $ xscreensaver -debug
Comment 3 Mamoru TASAKA 2011-05-10 14:25:52 UTC
Maybe $ xscreensaver -sync -verbose -debug is more useful.
Comment 4 Henrique Martins 2011-05-10 14:35:19 UTC
Tried that (or maybe -log ... instead of -debug), same result, no core. Need to look into core limit settings but can't do it till later. Reverting a few machines ...
Comment 5 Mamoru TASAKA 2011-05-10 14:41:19 UTC
For this issue, dumping core needs "-sync" option.
Comment 6 Mamoru TASAKA 2011-05-10 15:21:38 UTC
Easily reproducible with - MODE: Blank screen only - "Power Management Enabled": unchecked - and execute $ xscreensaver-command -act :(
Comment 7 Henrique Martins 2011-05-10 15:39:54 UTC
Yes, those are my settings, guess I don't need to check further. Reverted to, and works fine with xscreensaver-5.12-14.
Comment 8 Fedora Update System 2011-05-10 17:12:55 UTC
xscreensaver-5.13-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc15
Comment 9 Fedora Update System 2011-05-10 17:13:11 UTC
xscreensaver-5.13-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14
Comment 10 Henrique Martins 2011-05-10 17:30:32 UTC
x86_64 works, will try i686 in a moment, but this set of rpms has the same problem that xscreensaver-5.12-14.fc14.x86_64 had, i.e. yum complains: Package xscreensaver-gl-base-5.13-2.fc14.x86_64.rpm is not signed and requires a --nogpgcheck to be installed.
Comment 11 Henrique Martins 2011-05-10 17:42:53 UTC
i686 also works, xscreensaver-gl-base is also not signed
Comment 12 Fedora Update System 2011-05-10 21:17:03 UTC
Package xscreensaver-5.13-2.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xscreensaver-5.13-2.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14 then log in and leave karma (feedback).
Comment 13 Mamoru TASAKA 2011-05-11 00:58:28 UTC
I guess now all these new rpms (except for ones for rawhide) are signed (packages are to be signed just before they are pushed into testing or stable repository). However thank you for quick confirmation.
Comment 14 Fedora Update System 2011-05-13 23:13:12 UTC
xscreensaver-5.13-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2011-05-16 03:28:21 UTC
xscreensaver-5.13-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/xscreensaver-5.13-3.fc15
Comment 16 Fedora Update System 2011-05-25 02:24:36 UTC
xscreensaver-5.13-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Jan Lieskovsky 2011-06-03 17:03:48 UTC
This issue did NOT affect the version of the xscreensaver package, as shipped with Red Hat Enterprise Linux 4. -- This issue did NOT affect the version of the xscreensaver package, as present within EPEL-6 repository.
Comment 18 Huzaifa S. Sidhpurwala 2011-06-07 06:12:21 UTC
This has been assigned CVE-2011-2187 via: http://thread.gmane.org/gmane.comp.security.oss.general/5186/focus=5209
Comment 19 Huzaifa S. Sidhpurwala 2011-06-07 06:13:20 UTC
Statement: Not vulnerable. This issue did not affect the versions of xscreensaver as shipped with Red Hat Enterprise Linux 4.