Bug#449108: marked as done (CVE-2007-3920: bypass password authentication)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 18 Jan 2008 22:32:07 +0000
with message-id <E1JFzkt-0003td-C8@ries.debian.org>
and subject line Bug#449108: fixed in xorg-server 2:1.4.1~git20080118-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2007-3920: bypass password authentication
• From: Steffen Joeris <steffen.joeris@skolelinux.de>
• Date: Sat, 03 Nov 2007 14:15:31 +1100
• Message-id: <20071103031531.6329.58804.reportbug@hannah>

Package: compiz
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE[0] has been issued for gnome-screensaver and compiz.
gnome-screensaver is already fixed, but compiz also seems to be
affected.
Here is the text

CVE-2007-3920:

GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not
properly reserve input focus, which allows attackers with physical
access to take control of the session after entering an Alt-Tab
sequence, a related issue to CVE-2007-3069.

Please mention the CVE number in your changelog, if you fix this issue
by an upload.

Please also consider the patch below. It is fetched from the ubuntu
security update.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3920

diff -u compiz-0.5.2/debian/changelog compiz-0.5.2/debian/changelog
--- compiz-0.5.2/debian/changelog
+++ compiz-0.5.2/debian/changelog
@@ -1,3 +1,12 @@
+compiz (0.5.2-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Make sure that gnome-screensaver never gets unredirected to avoid
+    that it loses its keyboard grab Fixes: CVE-2007-3920
+    Thanks to Michael Voigt and Ubuntu
+
+ -- Steffen Joeris <white@debian.org>  Sat, 03 Nov 2007 00:33:48 +0000
+
 compiz (0.5.2-2) unstable; urgency=low

   * oops, shipping copies of a few .h and .pc files in both compiz-dev
diff -u compiz-0.5.2/debian/patches/series compiz-0.5.2/debian/patches/series
--- compiz-0.5.2/debian/patches/series
+++ compiz-0.5.2/debian/patches/series
@@ -3,0 +4 @@
+016_CVE-2007-3920.patch
only in patch2:
unchanged:
--- compiz-0.5.2.orig/debian/patches/016_CVE-2007-3920.patch
+++ compiz-0.5.2/debian/patches/016_CVE-2007-3920.patch
@@ -0,0 +1,13 @@
+--- paint.c.orig       2007-11-03 00:31:52.000000000 +0000
++++ compiz-0.5.2/src/paint.c   2007-11-03 00:32:39.000000000 +0000
+@@ -211,7 +211,9 @@
+           if (count == 0                                            &&
+               !REGION_NOT_EMPTY (tmpRegion)                         &&
+               screen->opt[COMP_SCREEN_OPTION_UNREDIRECT_FS].value.b &&
+-              XEqualRegion (w->region, &screen->region))
++              XEqualRegion (w->region, &screen->region)             &&
++              !(w->resName && strcmp(w->resName, "gnome-screensaver") == 0)
++              )
+           {
+               unredirectWindow (w);
+               fullscreenWindow = w;

--- End Message ---

--- Begin Message ---

• To: 449108-close@bugs.debian.org
• Subject: Bug#449108: fixed in xorg-server 2:1.4.1~git20080118-1
• From: Brice Goglin <bgoglin@debian.org>
• Date: Fri, 18 Jan 2008 22:32:07 +0000
• Message-id: <E1JFzkt-0003td-C8@ries.debian.org>

Source: xorg-server
Source-Version: 2:1.4.1~git20080118-1

We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:

xnest_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xnest_1.4.1~git20080118-1_i386.deb
xorg-server_1.4.1~git20080118-1.diff.gz
  to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118-1.diff.gz
xorg-server_1.4.1~git20080118-1.dsc
  to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118-1.dsc
xorg-server_1.4.1~git20080118.orig.tar.gz
  to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118.orig.tar.gz
xserver-xephyr_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xserver-xephyr_1.4.1~git20080118-1_i386.deb
xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb
xserver-xorg-core_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-core_1.4.1~git20080118-1_i386.deb
xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
xvfb_1.4.1~git20080118-1_i386.deb
  to pool/main/x/xorg-server/xvfb_1.4.1~git20080118-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 449108@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brice Goglin <bgoglin@debian.org> (supplier of updated xorg-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 18 Jan 2008 22:20:32 +0100
Source: xorg-server
Binary: xserver-xephyr xserver-xorg-core xvfb xserver-xorg-dev xserver-xorg-core-dbg xnest
Architecture: source i386
Version: 2:1.4.1~git20080118-1
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Brice Goglin <bgoglin@debian.org>
Description: 
 xnest      - Nested X server
 xserver-xephyr - nested X server
 xserver-xorg-core - Xorg X server - core server
 xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
 xserver-xorg-dev - Xorg X server - development files
 xvfb       - Virtual Framebuffer 'fake' X server
Closes: 449108 461410
Changes: 
 xorg-server (2:1.4.1~git20080118-1) unstable; urgency=low
 .
   [ Brice Goglin ]
   * Add 42_dont_break_grab_and_focus_for_window_when_redirecting.diff
     to prevent password authentication bypass, closes: #449108.
 .
   [ Julien Cristau ]
   * New upstream snapshot
     + includes the security fixes from the previous version
     + fixes regression introduced by the fix for CVE-2007-6429 in the MIT-SHM
       extension (closes: #461410)
Files: 
 24dfd4eac7f6df7fbc6307674d1f9bd8 2488 x11 optional xorg-server_1.4.1~git20080118-1.dsc
 572101aa38dabcd69349e6213ee02f50 8253335 x11 optional xorg-server_1.4.1~git20080118.orig.tar.gz
 fd50e5a8dd2590dcf2cd39625fbada04 667590 x11 optional xorg-server_1.4.1~git20080118-1.diff.gz
 65683fe75d388f3273808212db7d06b3 4053256 x11 optional xserver-xorg-core_1.4.1~git20080118-1_i386.deb
 cb14d10cc75406578b713b888518ff1a 681882 x11 optional xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
 213bccc8e7a919bf4fb2516ec1b2fcdc 1749182 x11 optional xnest_1.4.1~git20080118-1_i386.deb
 b8c2433fa6429148b094c33cd6bc3f5b 1860152 x11 optional xvfb_1.4.1~git20080118-1_i386.deb
 6c88940dd25a5bc95e67b973228f0c88 1897470 x11 optional xserver-xephyr_1.4.1~git20080118-1_i386.deb
 368af74b934278587b7ea2df4f363552 12570776 x11 extra xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHkSHBRh88F8PcWfoRAocCAKCn4y9XQ1cJnPJuLSqkgiI0NUPbVACfTpsB
zTNquSmyeZquSZOQTDwJB8Y=
=vf67
-----END PGP SIGNATURE-----

--- End Message ---