Red Hat Bugzilla – Bug 564572
CVE-2009-4641 gnome-screensaver: missing session inhibit removal
Last modified: 2015-01-14 18:27:01 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4641 to the following vulnerability: gnome-screensaver 2.28.0 does not resume adherence to its activation settings after an inhibiting application becomes unavailable on the session bus, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4641 https://bugzilla.gnome.org/show_bug.cgi?id=600488 https://launchpad.net/bugs/411350 http://www.ubuntu.com/usn/USN-866-1 Upstream patch: http://git.gnome.org/browse/gnome-screensaver/commit/?id=284c9924969a49dbf2d5fae1d680d3310c4df4a3
This issue affects the version of gnome-screensaver package, as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the gnome-screensaver package, as shipped with Fedora release of 11. This issue does NOT affect the version of the gnome-screensaver package, as shipped with Fedora release of 12 -- current gnome-screensaver-2.28.1-2.fc12 already contains fix for this flaw.
RHEL 5 is not affected by this issue. Some time after RHEL 5, the inhibiting interface was moved to gnome-session from gnome-screensaver, and a compat shim was put in place in gnome-screensaver to keep the old interface working. This compat shim had a bug in it which is the root of https://bugzilla.gnome.org/show_bug.cgi?id=600488 Since RHEL5 predates the inhibiting interface migration to gnome-session and predates the compat shim, it is uneffected.
Ray, thank you for clarification!
This must already be in latest stable releases for fedora at least.