Bug 564583 (CVE-2009-4642) - CVE-2009-4642 gnome-screensaver, xfce4-session: gnome-screensaver fails to determine session idle time when runned under Xfce
Summary: CVE-2009-4642 gnome-screensaver, xfce4-session: gnome-screensaver fails to de...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2009-4642
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-13 14:12 UTC by Jan Lieskovsky
Modified: 2010-02-16 15:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-16 15:00:25 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-02-13 14:12:32 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4642 to
the following vulnerability:

gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface
to determine session idle time, even when an Xfce desktop such as
Xubuntu or Mythbuntu is used, which allows physically proximate
attackers to access an unattended workstation on which screen locking
had been intended.

References:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536381
  http://bugzilla.xfce.org/show_bug.cgi?id=5927
  https://bugzilla.gnome.org/show_bug.cgi?id=592093
  https://launchpad.net/bugs/411350
  https://launchpad.net/bugs/493573

Comment 2 Kevin Fenzi 2010-02-13 20:20:18 UTC
Well, I don't think this affects the Xfce spin at least. We are using gdm, which requires gnome-session, so we have that installed on all the Xfce spin installs. 

It would be possible to switch to kdm/slim/whatever and remove gnome-session and gdm and run into this, but I don't think many people would do so. 

Perhaps gnome-screensaver should grow a dep on gnome-session to make sure it pulls in the needed functionality?

Comment 3 Ray Strode [halfline] 2010-02-16 15:00:25 UTC
It's a bit of a stretch to call this is a security vulnerability.  There are lots of misconfigurations of the system that can result in an insecure desktop.  This is just another one.

A package dep won't help here.  gnome-session has to be running the session for idle detection to work.

gnome-screensaver could potentially check for the org.gnome.SessionManager name on the bus or whatever, but it certainly isn't a security issue that it doesn't.  It's /gnome/ screensaver.  You're supposed to run it in gnome.  Running it outside of gnome isn't one of its project goals and it's not something that's supported.

It could potentially work in environments outside of gnome if they implement the same required interfaces, but that's a big if and it's up to those environments to provide those interfaces.


Note You need to log in before you can comment on or make changes to this bug.