Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1683 to the following vulnerability: xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits if this server is unavailable as the xscreensaver process is starting, which allows physically proximate attackers to gain access to a workstation session for which locking was intended, a related issue to CVE-2007-1859. Refences: https://bugzilla.redhat.com/show_bug.cgi?id=435773
CC-ing to jwz.
This was fixed in 2005 or something. If Red Hat would stop shipping xscreensaver 4.24, I might get to stop hearing about this someday.
(In reply to comment #0) > xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits if this server is unavailable as the xscreensaver process is starting, > Refences: > https://bugzilla.redhat.com/show_bug.cgi?id=435773 Well, I don't use NIS, however do you mean https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says - The system uses NIS authentication - The network connection to NIS happens to start - _After_ this disconnenction happens a user tries to start xscreensaver - Then xscreensaver refuses to start. (again I don't use NIS, so I am just guessing what is happening) As far as I read bug 435773, xscreensaver refuses to start at the lines 1520-1521 of src/xscreensaver.c, however IMO this is perhaps what xscreensaver just expects. Note that Fedora-8 xscreensaver is now 5.05.
(In reply to comment #3) > Well, I don't use NIS, however do you mean > https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says > - The system uses NIS authentication > - The network connection to NIS happens to start This line should read as "The network connection to NIS happens to stop"... > - _After_ this disconnenction happens a user tries to start xscreensaver > - Then xscreensaver refuses to start. >
MITRE's description: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0887. Reason: This candidate is a duplicate of CVE-2008-0887. Notes: All CVE users should reference CVE-2008-0887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.