Chris Coulson reported gnome-screensaver is prone to race condition between two subsequent actions -- shaking the unlock dialog and clearing the screen. A local attacker could use this flaw to cause a denial of service (gnome-screensaver crash), which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended. Upstream bug report: https://bugzilla.gnome.org/show_bug.cgi?id=598476 Upstream patch: http://git.gnome.org/browse/gnome-screensaver/commit/?id=ab08cc93f2dc6223c8c00bfa1ca4f2d89069dbe0 CVE Request: http://www.openwall.com/lists/oss-security/2010/02/12/1 References: http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-928580.html
This issue affects the version of the gnome-screensaver package, as shipped with Red Hat Enteprise Linux 5. This issue affects the current version of the gnome-screensaver package, as shipped with Fedora release of 11 (gnome-screensaver-2.26.1-3.fc11). This issue does NOT affect the current version of the gnome-screensaver package, as shipped with Fedora 12 (gnome-screensaver-2.28.3-1.fc12) -- this issue was already addressed here.
this bug isn't a gnome-screensaver bug. It was a gtk bug. The patch from Chris Coulson was commited, but it wasn't the fix for the problem. The fix for the problem was in gtk. Fix was here: http://git.gnome.org/browse/gtk+/commit/?id=0748cf563d0d0d03001a62589f13be16a8ec06c1 This bug does not affect RHEL5 or Fedora 11.
This issue was assigned CVE-2010-0732.