Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, gpastore@debian.org (Guilherme de S. Pastore): Bug#455484; Package gnome-screensaver.
(full text, mbox, link).
Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, gpastore@debian.org (Guilherme de S. Pastore).
(full text, mbox, link).
Package: gnome-screensaver
Version: 2.20.0-2
Severity: normal
Tags: security
With the addition of the feature to send a message to the logged in user
when they return and unlock a locked session, this gives local attackers
the ability to read the X selection and clipboard buffers with a middle
click on the mouse and a Ctrl+V. I note that the box to leave a message
doesn't have a context menu that you could paste via, but it doesn't go
far enough.
Filed at severity normal since it isn't a really bad issue. Please
change the severity as you see fit.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.23-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnome-screensaver depends on:
ii dbus 1.1.2-1 simple interprocess messaging syst
ii gconf2 2.20.1-1 GNOME configuration database syste
ii gnome-icon-theme 2.20.0-1 GNOME Desktop icon theme
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.7-4 GNU C Library: Shared libraries
ii libcairo2 1.4.10-1.2 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.1.2-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.74-1 simple interprocess messaging syst
ii libfontconfig1 2.5.0-2 generic font configuration library
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.20.1-1 GNOME configuration database syste
ii libgl1-mesa-glx [libgl1 7.0.2-2 A free implementation of the OpenG
ii libglade2-0 1:2.6.2-1 library to load .glade files at ru
ii libglib2.0-0 2.14.4-2 The GLib library of C routines
ii libgnome-menu2 2.20.2-1 an implementation of the freedeskt
ii libgnomekbd1 2.20.0-1 GNOME library to manage keyboard c
ii libgnomekbdui1 2.20.0-1 User interface library for libgnom
ii libgnomevfs2-0 1:2.20.1-1 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.3-1 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libnotify1 [libnotify1- 0.4.4-3 sends desktop notifications to a n
ii liborbit2 1:2.14.7-0.1 libraries for ORBit2 - a CORBA ORB
ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l
ii libpango1.0-0 1.18.3-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio
ii libxi6 2:1.1.3-1 X11 Input extension library
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxklavier11 3.3-1 X Keyboard Extension high-level AP
ii libxml2 2.6.30.dfsg-3 GNOME XML library
ii libxrandr2 2:1.2.2-1 X11 RandR extension library
ii libxrender1 1:0.9.4-1 X Rendering Extension client libra
ii libxss1 1:1.1.2-1 X11 Screen Saver extension library
ii libxxf86misc1 1:1.0.1-2 X11 XFree86 miscellaneous extensio
ii libxxf86vm1 1:1.0.1-2 X11 XFree86 video mode extension l
ii zlib1g 1:1.2.3.3.dfsg-7 compression library - runtime
Versions of packages gnome-screensaver recommends:
ii gnome-power-manager 2.20.1-1 frontend for gnome-powermanager
ii libpam-gnome-keyring 2.20.2-1 GNOME keyring services PAM module
ii rss-glx 0.8.1-8 Really Slick Screensavers GLX Port
--
bye,
pabs
http://wiki.debian.org/PaulWise
Information forwarded to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore): Bug#455484; Package gnome-screensaver.
(full text, mbox, link).
Acknowledgement sent to Sebastian Dröge <slomo@circular-chaos.org>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore).
(full text, mbox, link).
forwarded 455484 http://bugzilla.gnome.org/show_bug.cgi?id=503005
thanks
Am Montag, den 10.12.2007, 21:09 +0930 schrieb Paul Wise:
> Package: gnome-screensaver
> Version: 2.20.0-2
> Severity: normal
> Tags: security
>
> With the addition of the feature to send a message to the logged in user
> when they return and unlock a locked session, this gives local attackers
> the ability to read the X selection and clipboard buffers with a middle
> click on the mouse and a Ctrl+V. I note that the box to leave a message
> doesn't have a context menu that you could paste via, but it doesn't go
> far enough.
>
> Filed at severity normal since it isn't a really bad issue. Please
> change the severity as you see fit.
Hi,
thanks for reporting this bug. I've forwarded it upstream:
http://bugzilla.gnome.org/show_bug.cgi?id=503005
Tags added: fixed-upstream
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 16 Dec 2007 23:00:15 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore): Bug#455484; Package gnome-screensaver.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore).
(full text, mbox, link).
Hi,
as this is marked as fixed in the upstream tracker but when
reading the upstream bug it seems like the fix is somehow
broken. Can you please contact the upstream and ask for a
claryfication of the situation so this does not end up as a
nominal member?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Subject: Bug#455484: fixed in gnome-screensaver 2.22.0-1
Date: Fri, 14 Mar 2008 09:47:02 +0000
Source: gnome-screensaver
Source-Version: 2.22.0-1
We believe that the bug you reported is fixed in the latest version of
gnome-screensaver, which is due to be installed in the Debian FTP archive:
gnome-screensaver_2.22.0-1.diff.gz
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.0-1.diff.gz
gnome-screensaver_2.22.0-1.dsc
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.0-1.dsc
gnome-screensaver_2.22.0-1_i386.deb
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.0-1_i386.deb
gnome-screensaver_2.22.0.orig.tar.gz
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 455484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated gnome-screensaver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 14 Mar 2008 10:15:47 +0100
Source: gnome-screensaver
Binary: gnome-screensaver
Architecture: source i386
Version: 2.22.0-1
Distribution: unstable
Urgency: medium
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description:
gnome-screensaver - GNOME screen saver and locker
Closes: 455484457549
Changes:
gnome-screensaver (2.22.0-1) unstable; urgency=medium
.
[ Josselin Mouette ]
* 02_clear_clipboard.patch: clear the clipboard when locking the
screen. Closes: #455484.
.
[ Loic Minier ]
* Add a README.Debian to document that one should disable the gnome-keyring
PAM module if the recommended libpam-gnome-keyring isn't installed;
closes: #457549.
.
[ Sebastian Dröge ]
* New upstream stable release:
+ Drop gnome-vfs build dependency and build depend on glib >= 2.15.0.
+ 02_clear_clipboard.patch: Dropped, merged upstream.
Files:
e8cae83c62d458e980794f1db1a4c6b5 1255 gnome optional gnome-screensaver_2.22.0-1.dsc
832111f94de5cd62c27ca97bc0188d40 2321335 gnome optional gnome-screensaver_2.22.0.orig.tar.gz
104d5b6d88c548f621bf46848ad029a8 9669 gnome optional gnome-screensaver_2.22.0-1.diff.gz
46e50577377964231e0ac229667285b6 1885494 gnome optional gnome-screensaver_2.22.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH2keKBsBdh1vkHyERAm3NAJ49/jVbSC1U+gVTyTkmGE6CDehhFwCdGb4k
XWVyOvXUBVskiJGK4ZPVuxo=
=wT0s
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 May 2008 07:46:22 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.