Package: xscreensaver
Version: 4.24-5
Severity: grave
Tags: security
Justification: user security hole
Hi mate
Please have a look at the patch below I found in the Ubuntu version of
your package. Your package was showing up on the security tracker and I
found a CVE assigned for it. It seems that the patch below fixed the issue
for ubuntu, though I did no further investigation. Maybe you can have
a look and if this information is wrong, feel free to downgrade the bug.
Cheers
Steffen
diff -u xscreensaver-4.24/debian/changelog xscreensaver-4.24/debian/changelog
--- xscreensaver-4.24/debian/changelog
+++ xscreensaver-4.24/debian/changelog
@@ -1,3 +1,12 @@
+xscreensaver (4.24-5ubuntu2.1) feisty-security; urgency=low
+
+ * SECURITY UPDATE: password bypass when using network authentication.
+ * driver/lock.c: upstream fixes applied inline.
+ * References
+ CVE-2007-1859
+
+ -- Kees Cook <[EMAIL PROTECTED]> Mon, 11 Jun 2007 12:58:25 -0700
+
xscreensaver (4.24-5ubuntu2) feisty; urgency=low
* debian/control:
diff -u xscreensaver-4.24/driver/lock.c xscreensaver-4.24/driver/lock.c
--- xscreensaver-4.24/driver/lock.c
+++ xscreensaver-4.24/driver/lock.c
@@ -1532,7 +1532,7 @@
*/
struct passwd *pw = getpwuid (getuid ());
char *d = DisplayString (si->dpy);
- char *u = (pw->pw_name ? pw->pw_name : "???");
+ char *u = (pw && pw->pw_name ? pw->pw_name : "???");
int opt = 0;
int fac = 0;
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
