Bug 441451 – CVE-2008-1683 xscreensaver: fails to start if NIS authentication is used and network is unavailable

Bug 441451 - (CVE-2008-1683) CVE-2008-1683 xscreensaver: fails to start if NIS authentication is used and network is unavailable

Summary:	CVE-2008-1683 xscreensaver: fails to start if NIS authentication is used and ...

Status:	CLOSED NOTABUG

Aliases:	CVE-2008-1683

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:	reported=20080314,source=redhat,publi...
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-04-08 03:24 EDT by Tomas Hoger
Modified:	2010-12-23 11:57 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-12-23 11:57:57 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2008-04-08 03:24:35 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1683 to the following vulnerability:

xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits if this server is unavailable as the xscreensaver process is starting, which allows physically proximate attackers to gain access to a workstation session for which locking was intended, a related issue to CVE-2007-1859.

Refences:
https://bugzilla.redhat.com/show_bug.cgi?id=435773

Comment 1 Mamoru TASAKA 2008-04-08 03:36:41 EDT

CC-ing to jwz.

Comment 2 Jamie Zawinski 2008-04-08 05:01:54 EDT

This was fixed in 2005 or something. If Red Hat would stop shipping xscreensaver 4.24, I might get to 
stop hearing about this someday.

Comment 3 Mamoru TASAKA 2008-04-08 05:51:52 EDT

(In reply to comment #0)
> xscreensaver on Fedora 8, when an NIS authentication server is enabled, exits
if this server is unavailable as the xscreensaver process is starting, 

> Refences:
> https://bugzilla.redhat.com/show_bug.cgi?id=435773

Well, I don't use NIS, however do you mean 
https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says
- The system uses NIS authentication
- The network connection to NIS happens to start
- _After_ this disconnenction happens a user tries to start xscreensaver
- Then xscreensaver refuses to start.

(again I don't use NIS, so I am just guessing what is happening)
As far as I read bug 435773, xscreensaver refuses  to start at
the lines 1520-1521 of src/xscreensaver.c, however IMO this is perhaps
what xscreensaver just expects.

Note that Fedora-8 xscreensaver is now 5.05.

Comment 4 Mamoru TASAKA 2008-04-08 05:54:56 EDT

(In reply to comment #3)
> Well, I don't use NIS, however do you mean 
> https://bugzilla.redhat.com/show_bug.cgi?id=435773#c11 ? This says
> - The system uses NIS authentication
> - The network connection to NIS happens to start

  This line should read as "The network connection to NIS happens to
  stop"...

> - _After_ this disconnenction happens a user tries to start xscreensaver
> - Then xscreensaver refuses to start.
>

Comment 5 Vincent Danen 2010-12-23 11:57:57 EST

MITRE's description:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0887. Reason: This candidate is a duplicate of CVE-2008-0887. Notes: All CVE users should reference CVE-2008-0887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Note You need to log in before you can comment on or make changes to this bug.