Bug 632978 (CVE-2009-4996) - CVE-2009-4996 Xfce-session4: Screen not locked after resume from suspend / hibernate launched from xfce4-session-logout
Summary: CVE-2009-4996 Xfce-session4: Screen not locked after resume from suspend / hi...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2009-4996
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 525395 587633 CVE-2010-2532
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-12 10:34 UTC by Jan Lieskovsky
Modified: 2023-08-21 00:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:11:02 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-09-12 10:34:47 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4996 to
the following vulnerability:

** DISPUTED **

Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend
or hibernate button is pressed, which might make it easier for
physically proximate attackers to access an unattended laptop via a
resume action, a related issue to CVE-2010-2532. NOTE: there is no
general agreement that this is a vulnerability, because separate
control over locking can be an equally secure, or more secure,
behavior in some threat environments.

References:
[1] http://bugzilla.xfce.org/show_bug.cgi?id=4805
[2] https://bugzilla.redhat.com/show_bug.cgi?id=525395
[3] https://bugzilla.redhat.com/show_bug.cgi?id=587633
[4] https://bugzilla.redhat.com/show_bug.cgi?id=614608
Comment 1 Christoph Wickert 2010-09-12 11:26:57 UTC 
Who requested this CVE? Has there been any attempt to contact upstream? If not, why doesn't RH Security response not do this?
Comment 2 Jan Lieskovsky 2010-09-12 11:51:04 UTC 
Hi Christoph,

  this CVE was assigned recently by Mitre:
[1] http://cve.mitre.org/

The very only purpose this Red Hat Bugzilla entry has been filed for is
to track the particular CVE id for future purpose (for case some of the
customers will ask for information regarding it) and perform its further
research (to determine if the described behavior can impersonate a security
threat).

It is possible after the research is complete, this bug will be closed
(with appropriate resolution). But till that moment we need to track
it and need a way how to reference it.

Hope this helps.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 3 Christoph Wickert 2010-09-12 12:02:06 UTC 
Thanks for your reply, Jan.

(In reply to comment #2)
>   this CVE was assigned recently by Mitre:

AFAIK there usually is somebody to *request* the CVE from Mitre before it gets actually assigned. I would have expected this person to contact upstream first (which I did in the meantime).
Comment 4 Christoph Wickert 2011-06-17 23:24:42 UTC 
Jan, can you tell me who actually requested the CVE?
Comment 5 Jan Lieskovsky 2011-06-20 09:26:35 UTC 
Hi Christoph,

  unfortunately I can't. We found out about this report from new CVE-2009-4996
CVE identifier description from the Mitre CVE database, once it was assigned.

So I do not know on which basis this was assigned.

But when looking at the CVE-2009-4996 references:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4996

it looks the earliest entry, which (probably) went to CVE assignment is the
upstream bug report:
[2] https://bugzilla.xfce.org/show_bug.cgi?id=4805

But you can privately check with Steven Christey of Mitre to be definitely
sure about the catalyst which went to the assignment.

Hope this helps. Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

(In reply to comment #4)
> Jan, can you tell me who actually requested the CVE?
Comment 6 hwj 2023-08-21 00:18:37 UTC 
A solution make be from this other related solution:  https://github.com/linuxmint/cinnamon/issues/4324#issuecomment-1685426989
Note You need to log in before you can comment on or make changes to this bug.