Re: gnome-screensaver vulnerability (CVE-2010-0414)

[Vincent Danen <vdanen () redhat com>]

* [2010-02-08 09:48:22 -0700] Vincent Danen wrote:

> This is a heads up on a gnome-screensaver issue that was fixed upstream
> today.
>
> In version 2.28, it is possible to circumvent the security of screen
> locking functionality by changing the physical monitor configuration.
>
> Details are available in our bugzilla, along with the patch being used
> by upstream to correct the issue:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=562217
>
> We have assigned CVE-2010-0414 to this issue.
>
> The code that caused this issue went into gnome-screensaver during the
> 2.24 development cycle, but auto-configuration of hotplugged monitors
> didn't show up until 2.28, and that is a pre-requisite for triggering
> the bug, so only 2.28 is vulnerable.
>
> References:
>
> http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950
> https://bugzilla.gnome.org/show_bug.cgi?id=609337

A similar issue was also just found.  We have assigned CVE-2010-0422 to
the new flaw that is similar to this.

https://bugzilla.redhat.com/show_bug.cgi?id=564464
https://bugzilla.gnome.org/show_bug.cgi?id=609789

There are links to the upstream commits in the gnome bug report.

As with the previous issue, this one also only affects version 2.28.

--
Vincent Danen / Red Hat Security Response Team