Bug 565527 - (CVE-2010-0732) CVE-2010-0732 gnome-screensaver: Race condition between shaking the unlock dialog and clearing the screen
CVE-2010-0732 gnome-screensaver: Race condition between shaking the unlock di...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
https://bugzilla.gnome.org/show_bug.c...
impact=important,source=oss-security,...
: Security
Depends On: 565532
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-15 10:18 EST by Jan Lieskovsky
Modified: 2015-07-31 02:25 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-16 13:13:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-02-15 10:18:53 EST
Chris Coulson reported gnome-screensaver is prone to race
condition between two subsequent actions -- shaking the
unlock dialog and clearing the screen. A local attacker
could use this flaw to cause a denial of service
(gnome-screensaver crash), which allows physically proximate
attackers to access an unattended workstation on which screen
locking had been intended.

Upstream bug report:
  https://bugzilla.gnome.org/show_bug.cgi?id=598476

Upstream patch:
  http://git.gnome.org/browse/gnome-screensaver/commit/?id=ab08cc93f2dc6223c8c00bfa1ca4f2d89069dbe0

CVE Request:
  http://www.openwall.com/lists/oss-security/2010/02/12/1

References:
  http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-928580.html
Comment 1 Jan Lieskovsky 2010-02-15 10:22:41 EST
This issue affects the version of the gnome-screensaver package,
as shipped with Red Hat Enteprise Linux 5.

This issue affects the current version of the gnome-screensaver
package, as shipped with Fedora release of 11
(gnome-screensaver-2.26.1-3.fc11).

This issue does NOT affect the current version of
the gnome-screensaver package, as shipped with Fedora 12
(gnome-screensaver-2.28.3-1.fc12) -- this issue was already
addressed here.
Comment 3 Ray Strode [halfline] 2010-02-15 11:30:17 EST
this bug isn't a gnome-screensaver bug.  It was a gtk bug. The patch from Chris
Coulson was commited, but it wasn't the fix for the problem.  The fix for the
problem was in gtk.    

Fix was here:
http://git.gnome.org/browse/gtk+/commit/?id=0748cf563d0d0d03001a62589f13be16a8ec06c1    

This bug does not affect RHEL5 or Fedora 11.
Comment 4 Vincent Danen 2010-03-16 13:13:16 EDT
This issue was assigned CVE-2010-0732.

Note You need to log in before you can comment on or make changes to this bug.