Red Hat Bugzilla – Bug 703483
CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)
Last modified: 2011-06-07 02:13:20 EDT
Description of problem: Latest xscreensaver exits when activated leaving screens unlocked, big security risk if one doesn't notice it and relies on it to lock the screen Version-Release number of selected component (if applicable): kernel-devel-2.6.35.12-90.fc14 both i686 and x86_64 How reproducible: Every single time Steps to Reproduce: 1. start xscreensaver 2. activate with xscreensaver-command -lock Actual results: xscreensaver exits with error message (or similar): xscreensaver: <timestamp>: X Error! PLEASE REPORT THIS BUG. xscreensaver: <timestapm>: screen 0/0: 0xfa, 0x0, 0x1e00001 ########################################################### X Error of failed request: BadMatch (invalid parameter attributes) Major opcode of failed request: 132 (DPMS) Minor opcode of failed request: 6 (DPMSForceLevel) .... Expected results: screen locked Additional info: Previous version worked fine
Sorry cut & pasted version from VNC didn't work! Actual version-release number is: xscreensaver-5.13-1.fc14 both i686 and x86_64
Does not seem to be reproducible with me (although I am using F-15). Would you do the following? Thank you. - Attach /etc/X11/xorg.conf (if any), and /var/log/Xorg.0.log - Attach ~/.xscreensaver - Once kill xscreensaver with $ xscreensaver-command -exit , and attach the output of $ xscreensaver -debug
Maybe $ xscreensaver -sync -verbose -debug is more useful.
Tried that (or maybe -log ... instead of -debug), same result, no core. Need to look into core limit settings but can't do it till later. Reverting a few machines ...
For this issue, dumping core needs "-sync" option.
Easily reproducible with - MODE: Blank screen only - "Power Management Enabled": unchecked - and execute $ xscreensaver-command -act :(
Yes, those are my settings, guess I don't need to check further. Reverted to, and works fine with xscreensaver-5.12-14.
xscreensaver-5.13-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc15
xscreensaver-5.13-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14
x86_64 works, will try i686 in a moment, but this set of rpms has the same problem that xscreensaver-5.12-14.fc14.x86_64 had, i.e. yum complains: Package xscreensaver-gl-base-5.13-2.fc14.x86_64.rpm is not signed and requires a --nogpgcheck to be installed.
i686 also works, xscreensaver-gl-base is also not signed
Package xscreensaver-5.13-2.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xscreensaver-5.13-2.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14 then log in and leave karma (feedback).
I guess now all these new rpms (except for ones for rawhide) are signed (packages are to be signed just before they are pushed into testing or stable repository). However thank you for quick confirmation.
xscreensaver-5.13-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
xscreensaver-5.13-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/xscreensaver-5.13-3.fc15
xscreensaver-5.13-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue did NOT affect the version of the xscreensaver package, as shipped with Red Hat Enterprise Linux 4. -- This issue did NOT affect the version of the xscreensaver package, as present within EPEL-6 repository.
This has been assigned CVE-2011-2187 via: http://thread.gmane.org/gmane.comp.security.oss.general/5186/focus=5209
Statement: Not vulnerable. This issue did not affect the versions of xscreensaver as shipped with Red Hat Enterprise Linux 4.