Bugzilla – Bug 952062
VUL-0: CVE-2015-8025: xscreensaver: screensaver bypass through HDMI cable unplug
Last modified: 2017-06-13 14:39:34 UTC
Fedora bug report against XFCE... https://bugzilla.redhat.com/show_bug.cgi?id=1274452 On XFCE... * using VGA and HDMI dual monitor (for example) * lock the screen with $ xscreensaver-command -lock * move mouse, password dialog appears * during the time password dialog still appears, unplug HDMI cable then xscreensaver abort()s (actually it abort()s, not segv, however I guess it is not important) (at the line 420 in xscreensaver-5.33/driver/subprocs.c) 100% reproducible. This issue is already in public as https://twitter.com/Thaolia/status/656823859304398848 I and the upstream developer already tracked down the cause and the upstream send me a patch, which seems to be working. hopefully the upstream will release the new version soon. [...] The upstream released 5.34, which should address this issue. Patch against 5.33 is http://pkgs.fedoraproject.org/cgit/xscreensaver.git/diff/xscreensaver-5.33-0002-Modify-sigchld_hander-in_signal_hander_p-mechanism.patch?id=b57f59f3482fedf70ce7a3541094e2512290139f openSUSE 13.1 is affected openSUSE 13.2 is affected openSUSE Leap 42.1 is affected
Hmm I'd actually rate this CVSSc2 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) for now. Partial as the attacker does not control the logged in user, which is not necessarily a privileged one.
Created attachment 653325 [details] xscreensaver-5.33-0002-Modify-sigchld_hander-in_signal_hander_p-mechanism.txt Patch applies cleanly to SLE 11 and SLE 12. On SLE 10 note that there is an else on HAVE_SIGACTION but it should apply just the same. > #ifdef HAVE_SIGACTION > [...] > #else /* !HAVE_SIGACTION */ > [...] > #endif /* !HAVE_SIGACTION */
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-11-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62314
I just prepared updated for openSUSE and SLE12: Factory (version upgrade): https://build.opensuse.org/request/show/342582 openSUSE (13.1, 13.2, Leap 42.1): https://build.opensuse.org/request/show/342584 SLE12: https://build.suse.de/request/show/78055 SLE11 SP1 (and SLE11) needs a deeper research. The signal handler is different there and variable in_signal_handler_p controlling the abort() is not defined. Do we need a fix for SLE11 GA and SLE10*?
I just decided to port the whole code implementing in_signal_handler_p. Then the security patch will cleanly apply without any changes. SLE11 SP1: https://build.suse.de/request/show/78595 SLE11: https://build.suse.de/request/show/78599 Please note that this change was not tested. It just compiles. If you need SLE10 as well, please let me know.
SLE10 done by backport of SLE11 solution. https://build.suse.de/request/show/79415 Took from SUSE:SLE-10-SP2:Update, submitted to SUSE:SLE-10-SP3:Update:Test.
openSUSE-SU-2015:2032-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 952062 CVE References: CVE-2015-8025 Sources used: openSUSE Leap 42.1 (src): xscreensaver-5.33-4.1 openSUSE 13.2 (src): xscreensaver-5.29-2.4.3 openSUSE 13.1 (src): xscreensaver-5.22-2.25.1
SUSE-SU-2015:2053-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 952062 CVE References: CVE-2015-8025 Sources used: SUSE Linux Enterprise Server 12 (src): xscreensaver-5.22-6.1 SUSE Linux Enterprise Desktop 12 (src): xscreensaver-5.22-6.1
SUSE-SU-2015:2054-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 952062 CVE References: CVE-2015-8025 Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Server 11-SP4 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Server 11-SP3 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xscreensaver-5.07-6.36.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xscreensaver-5.07-6.36.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62352
SUSE-SU-2015:2053-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 952062 CVE References: CVE-2015-8025 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): xscreensaver-5.22-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): xscreensaver-5.22-7.1
fixed and released.