Bug 703483 (CVE-2011-2187) - CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)
Summary: CVE-2011-2187 xscreensaver: exits when activated (DPMSForceLevel)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2187
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-10 13:47 UTC by Henrique Martins
Modified: 2021-02-24 15:28 UTC (History)
2 users (show)

Fixed In Version: xscreensaver-5.13-3.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-13 23:13:21 UTC
Embargoed:


Attachments (Terms of Use)

Description Henrique Martins 2011-05-10 13:47:26 UTC
Description of problem:
Latest xscreensaver exits when activated leaving screens unlocked, big security risk if one doesn't notice it and relies on it to lock the screen

Version-Release number of selected component (if applicable):
kernel-devel-2.6.35.12-90.fc14 both i686 and x86_64

How reproducible:
Every single time

Steps to Reproduce:
1. start xscreensaver
2. activate with xscreensaver-command -lock
  
Actual results:
xscreensaver exits with error message (or similar):
xscreensaver: <timestamp>: X Error! PLEASE REPORT THIS BUG.
xscreensaver: <timestapm>: screen 0/0: 0xfa, 0x0, 0x1e00001

###########################################################

X Error of failed request: BadMatch (invalid parameter attributes)
  Major opcode of failed request:  132 (DPMS)
  Minor opcode of failed request:  6 (DPMSForceLevel)
  ....

Expected results:
screen locked

Additional info:
Previous version worked fine

Comment 1 Henrique Martins 2011-05-10 13:50:04 UTC
Sorry cut & pasted version from VNC didn't work!
Actual version-release number is:
  xscreensaver-5.13-1.fc14 both i686 and x86_64

Comment 2 Mamoru TASAKA 2011-05-10 14:10:04 UTC
Does not seem to be reproducible with me (although I am using F-15). Would you
do the following? Thank you.

- Attach /etc/X11/xorg.conf (if any), and /var/log/Xorg.0.log
- Attach ~/.xscreensaver
- Once kill xscreensaver with
  $ xscreensaver-command -exit
  , and attach the output of
  $ xscreensaver -debug

Comment 3 Mamoru TASAKA 2011-05-10 14:25:52 UTC
Maybe $ xscreensaver -sync -verbose -debug
is more useful.

Comment 4 Henrique Martins 2011-05-10 14:35:19 UTC
Tried that (or maybe -log ... instead of -debug), same result, no core. Need to look into core limit settings but can't do it till later. Reverting a few machines ...

Comment 5 Mamoru TASAKA 2011-05-10 14:41:19 UTC
For this issue, dumping core needs "-sync" option.

Comment 6 Mamoru TASAKA 2011-05-10 15:21:38 UTC
Easily reproducible with
- MODE: Blank screen only
- "Power Management Enabled": unchecked
- and execute $ xscreensaver-command -act

:(

Comment 7 Henrique Martins 2011-05-10 15:39:54 UTC
Yes, those are my settings, guess I don't need to check further.
Reverted to, and works fine with xscreensaver-5.12-14.

Comment 8 Fedora Update System 2011-05-10 17:12:55 UTC
xscreensaver-5.13-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc15

Comment 9 Fedora Update System 2011-05-10 17:13:11 UTC
xscreensaver-5.13-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14

Comment 10 Henrique Martins 2011-05-10 17:30:32 UTC
x86_64 works, will try i686 in a moment, but this set of rpms has the same problem that xscreensaver-5.12-14.fc14.x86_64 had, i.e. yum complains:
  Package xscreensaver-gl-base-5.13-2.fc14.x86_64.rpm is not signed
and requires a --nogpgcheck to be installed.

Comment 11 Henrique Martins 2011-05-10 17:42:53 UTC
i686 also works, xscreensaver-gl-base is also not signed

Comment 12 Fedora Update System 2011-05-10 21:17:03 UTC
Package xscreensaver-5.13-2.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xscreensaver-5.13-2.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/xscreensaver-5.13-2.fc14
then log in and leave karma (feedback).

Comment 13 Mamoru TASAKA 2011-05-11 00:58:28 UTC
I guess now all these new rpms (except for ones for rawhide) are signed
(packages are to be signed just before they are pushed into testing or stable repository).  However thank you for quick confirmation.

Comment 14 Fedora Update System 2011-05-13 23:13:12 UTC
xscreensaver-5.13-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2011-05-16 03:28:21 UTC
xscreensaver-5.13-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/xscreensaver-5.13-3.fc15

Comment 16 Fedora Update System 2011-05-25 02:24:36 UTC
xscreensaver-5.13-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Jan Lieskovsky 2011-06-03 17:03:48 UTC
This issue did NOT affect the version of the xscreensaver package, as shipped
with Red Hat Enterprise Linux 4.

--

This issue did NOT affect the version of the xscreensaver package, as present
within EPEL-6 repository.

Comment 18 Huzaifa S. Sidhpurwala 2011-06-07 06:12:21 UTC
This has been assigned CVE-2011-2187 via:
http://thread.gmane.org/gmane.comp.security.oss.general/5186/focus=5209

Comment 19 Huzaifa S. Sidhpurwala 2011-06-07 06:13:20 UTC
Statement:

Not vulnerable. This issue did not affect the versions of xscreensaver as
shipped with Red Hat Enterprise Linux 4.


Note You need to log in before you can comment on or make changes to this bug.