[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Gnome Screensaver Password Bypass Vulnerability

Hola, encara que no és un dubte de funcionament crec que afecta a molta gent (sobre tot aquells que es deixen els portàtils amb aplicacions obertes i s'en van a donar un tomb)

Sam Morris ha reportat una vulnerabilitat al gnome-screensaver, que pot ferse servir per guanyar accés al sistema passant del password de protecció del screensaver.
Si el servidor de X s'ha llençat amb les opcions AllowDeactivateGrabs i AllowClosedownGrabs (crec que fucionen per defecte en una instalació de X per defecte), és possible matar (kill) el procés del screensaver (mitjançat combinacions de les hot keys) i *rebelar* (fer apareixer) l'escriptori.

La vulnerabilitat afecta fins a la versió 2.13 (gnome acaba de treure la versió 2.14, a veure si podem fer un upgrade dintre de poc :)

apa,

8-)


Begin forwarded message:


TITLE:
Gnome Screensaver Password Bypass Vulnerability

SECUNIA ADVISORY ID:
SA19280

VERIFY ADVISORY:
http://secunia.com/advisories/19280/

CRITICAL:
Not critical

IMPACT:
Security Bypass

WHERE:
Local system

SOFTWARE:
GNOME Screensaver 2.x
http://secunia.com/product/8800/

DESCRIPTION:
Sam Morris has reported a vulnerability in gnome-screensaver, which
can be exploited by a malicious person with physical access to a
system to bypass the password protected screensaver.

If the X server is running with the "AllowDeactivateGrabs" and
"AllowClosedownGrabs" options set, it is possible to kill the
screensaver process via hotkey combinations and reveal the desktop.

The vulnerability has been reported in version 2.13. Prior versions
may also be affected.

SOLUTION:
The vulnerability has reportedly been fixed in version 2.14.

PROVIDED AND/OR DISCOVERED BY:
Sam Morris

ORIGINAL ADVISORY:
http://bugzilla.gnome.org/show_bug.cgi?id=326663

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=hubble%40flashmail.com

----------------------------------------------------------------------


-- 
*****************************************************************
*       gpg --keyserver pgp.mit.edu --recv-keys 2E402485        *
*****************************************************************
Reply to: