Bug 703483 (CVE-2011-2187)

Summary: CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)
Product: [Other] Security Response Reporter: Henrique Martins <fedora>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, mtasaka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xscreensaver-5.13-3.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-13 23:13:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Henrique Martins 2011-05-10 13:47:26 UTC
Description of problem:
Latest xscreensaver exits when activated leaving screens unlocked, big security risk if one doesn't notice it and relies on it to lock the screen

Version-Release number of selected component (if applicable):
kernel-devel-2.6.35.12-90.fc14 both i686 and x86_64

How reproducible:
Every single time

Steps to Reproduce:
1. start xscreensaver
2. activate with xscreensaver-command -lock
  
Actual results:
xscreensaver exits with error message (or similar):
xscreensaver: <timestamp>: X Error! PLEASE REPORT THIS BUG.
xscreensaver: <timestapm>: screen 0/0: 0xfa, 0x0, 0x1e00001

###########################################################

X Error of failed request: BadMatch (invalid parameter attributes)
  Major opcode of failed request:  132 (DPMS)
  Minor opcode of failed request:  6 (DPMSForceLevel)
  ....

Expected results:
screen locked

Additional info:
Previous version worked fine

Comment 1 Henrique Martins 2011-05-10 13:50:04 UTC
Sorry cut & pasted version from VNC didn't work!
Actual version-release number is:
  xscreensaver-5.13-1.fc14 both i686 and x86_64

Comment 2 Mamoru TASAKA 2011-05-10 14:10:04 UTC
Does not seem to be reproducible with me (although I am using F-15). Would you
do the following? Thank you.

- Attach /etc/X11/xorg.conf (if any), and /var/log/Xorg.0.log
- Attach ~/.xscreensaver
- Once kill xscreensaver with
  $ xscreensaver-command -exit
  , and attach the output of
  $ xscreensaver -debug

Comment 3 Mamoru TASAKA 2011-05-10 14:25:52 UTC
Maybe $ xscreensaver -sync -verbose -debug
is more useful.

Comment 4 Henrique Martins 2011-05-10 14:35:19 UTC
Tried that (or maybe -log ... instead of -debug), same result, no core. Need to look into core limit settings but can't do it till later. Reverting a few machines ...

Comment 5 Mamoru TASAKA 2011-05-10 14:41:19 UTC
For this issue, dumping core needs "-sync" option.

Comment 6 Mamoru TASAKA 2011-05-10 15:21:38 UTC
Easily reproducible with
- MODE: Blank screen only
- "Power Management Enabled": unchecked
- and execute $ xscreensaver-command -act

:(

Comment 7 Henrique Martins 2011-05-10 15:39:54 UTC
Yes, those are my settings, guess I don't need to check further.
Reverted to, and works fine with xscreensaver-5.12-14.

Comment 8 Fedora Update System 2011-05-10 17:12:55 UTC
xscreensaver-5.13-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc15

Comment 9 Fedora Update System 2011-05-10 17:13:11 UTC
xscreensaver-5.13-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14

Comment 10 Henrique Martins 2011-05-10 17:30:32 UTC
x86_64 works, will try i686 in a moment, but this set of rpms has the same problem that xscreensaver-5.12-14.fc14.x86_64 had, i.e. yum complains:
  Package xscreensaver-gl-base-5.13-2.fc14.x86_64.rpm is not signed
and requires a --nogpgcheck to be installed.

Comment 11 Henrique Martins 2011-05-10 17:42:53 UTC
i686 also works, xscreensaver-gl-base is also not signed

Comment 12 Fedora Update System 2011-05-10 21:17:03 UTC
Package xscreensaver-5.13-2.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xscreensaver-5.13-2.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14
then log in and leave karma (feedback).

Comment 13 Mamoru TASAKA 2011-05-11 00:58:28 UTC
I guess now all these new rpms (except for ones for rawhide) are signed
(packages are to be signed just before they are pushed into testing or stable repository).  However thank you for quick confirmation.

Comment 14 Fedora Update System 2011-05-13 23:13:12 UTC
xscreensaver-5.13-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2011-05-16 03:28:21 UTC
xscreensaver-5.13-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-3.fc15

Comment 16 Fedora Update System 2011-05-25 02:24:36 UTC
xscreensaver-5.13-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Jan Lieskovsky 2011-06-03 17:03:48 UTC
This issue did NOT affect the version of the xscreensaver package, as shipped
with Red Hat Enterprise Linux 4.

--

This issue did NOT affect the version of the xscreensaver package, as present
within EPEL-6 repository.

Comment 18 Huzaifa S. Sidhpurwala 2011-06-07 06:12:21 UTC
This has been assigned CVE-2011-2187 via:
http://thread.gmane.org/gmane.comp.security.oss.general/5186/focus=5209

Comment 19 Huzaifa S. Sidhpurwala 2011-06-07 06:13:20 UTC
Statement:

Not vulnerable. This issue did not affect the versions of xscreensaver as
shipped with Red Hat Enterprise Linux 4.