Bug#446906: security related issue, CVE assigned
tags 446906 security thanks Hi Attached you will find an NMU patch to fix this problem. Please also note that CVE-2007-3920 was assigned for this issue. Cheers Steffen diff -u gnome-screensaver-2.20.0/debian/changelog gnome-screensaver-2.20.0/debian/changelog --- gnome-screensaver-2.20.0/debian/changelog +++ gnome-screensaver-2.20.0/debian/changelog @@ -1,3 +1,11 @@ +gnome-screensaver (2.20.0-1.1) unstable; urgency=high + + * Non-maintainer upload by the testing-security team + * Prevent screen lock bypass via shortcuts when compiz is running +(Closes: #446906) Fixes: CVE-2007-3920 + + -- Steffen Joeris [EMAIL PROTECTED] Wed, 24 Oct 2007 13:08:36 + + gnome-screensaver (2.20.0-1) unstable; urgency=low [ Riccardo Setti ] only in patch2: unchanged: --- gnome-screensaver-2.20.0.orig/src/gs-manager.c +++ gnome-screensaver-2.20.0/src/gs-manager.c @@ -1045,7 +1045,7 @@ } /* Move keyboard and mouse grabs so dialog can be used */ -gs_grab_move_to_window (manager-priv-grab, +gs_grab_grab_window (manager-priv-grab, gs_window_get_gdk_window (window), gs_window_get_screen (window), FALSE); signature.asc Description: This is a digitally signed message part. ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Bug#446906: marked as done (gnome-screensaver does not grab keyboard input)
Your message dated Wed, 24 Oct 2007 16:32:02 + with message-id [EMAIL PROTECTED] and subject line Bug#446906: fixed in gnome-screensaver 2.20.0-1.1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) ---BeginMessage--- Package: gnome-screensaver Version: 2.18.2-1 Severity: important When I lock screen the password input box is immediately displayed, but there is no cursor in the text input field. Writing anything on keyboard produces no change. I tried this: - opened konsole - locked screen (using shortcut ctrl+alt+ins I configured before) - instead of blanking screen and display the password input box only on keyboard/mouse event, gnome-screensaver displayed the input box immediately. In the text input field there was no cursor (neither blinking nor static, none at all) - I WROTE SOMETHING ON THE KEYBOARD, nothing happened apparently (static image with the password input box on the screen, mouse arrow working as it might) - this is important - I waited 30s, the input box disappeared and reappeared immediately, this time the cursor was present and blinking - I entered my password and hit enter, the screen unlocked - surprise! What I wrote on the keyboard before the input box flashed ant the cursor reappeared was there on konsole. During the first 30s: - the keyboard input is not grabbed by gnome-screensaver but from the application which had focus when the screen was locked - the mouse input is grabbed correctly, but clicking on any button on the box does nothing, except showing the button-pression animation Independently from the actions taken, after 30s the situation recovers automatically and the input box works again, allowing password typing and screen unlocking. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages gnome-screensaver depends on: ii dbus1.1.1-3 simple interprocess messaging syst ii gconf2 2.20.0-1 GNOME configuration database syste ii gnome-icon-theme2.20.0-1 GNOME Desktop icon theme ii libart-2.0-22.3.19-3 Library of functions for 2D graphi ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit ii libbonobo2-02.20.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.18.0-5 The Bonobo UI library ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries ii libcairo2 1.4.10-1 The Cairo 2D vector graphics libra ii libdbus-1-3 1.1.1-3 simple interprocess messaging syst ii libdbus-glib-1-20.74-1 simple interprocess messaging syst ii libexif12 0.6.16-2 library to parse EXIF files ii libfontconfig1 2.4.2-1.2generic font configuration library ii libfreetype62.3.5-1+b1 FreeType 2 font engine, shared lib ii libgconf2-4 2.20.0-1 GNOME configuration database syste ii libgl1-mesa-glx [libgl1 7.0.1-2 A free implementation of the OpenG ii libglade2-0 1:2.6.2-1library to load .glade files at ru ii libglib2.0-02.14.0-2 The GLib library of C routines ii libgnome-keyring0 0.8.1-2 GNOME keyring services library ii libgnome-menu2 2.20.0-2 an implementation of the freedeskt ii libgnome2-0 2.20.0-1 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.14.0-3 A powerful object-oriented display ii libgnomekbd12.18.2-1 GNOME library to manage keyboard c ii libgnomekbdui1 2.18.2-1 User interface library for libgnom ii libgnomeui-02.18.1-2 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 1:2.20.0-1 GNOME Virtual File System (runtime ii libgtk2.0-0 2.10.13-1The GTK+ graphical user interface ii libice6 2:1.0.4-1X11 Inter-Client Exchange library ii liborbit2 1:2.14.7-0.1 libraries for ORBit2 - a CORBA ORB ii libpam0g0.99.7.1-5 Pluggable Authentication Modules l ii libpango1.0-0 1.18.2-1 Layout and rendering of internatio ii libpng12-0
Bug#405868: totem: Isn't it Flash?
On Tue, 2007-10-23 at 18:34 +0200, Marc Fargas wrote: I just tried to reproduce this bug with my laptop so I went to the website linked in the bugreport and clicked on Watch Video. There's a nice popup, and the video plays just fine. But to my unexperienced eye the video seems to be a Flash video, not a RealPlayer one so, is really this a Totem bug? Anyway, the video plays fine being realplayer, flash or whatever it is (but I'd say it's just Flash). Hi, I have no idea, as Swfdec doesn't seem to work correctly with this site yet. Anyway, it shouldn't be hard to figure out totem is used or not. Simply right click on the video and see if the menu that pops up belongs to totem or not. If totem is used, you should be able to select Copy and get the direct URL to the video. This is what I asked for in the first place, so the bug can be easily reproduced. -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 760BDD22 signature.asc Description: This is a digitally signed message part ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Bug#431396: rhythmbox-dbg: does not produce useful backtraces
On Wed, 2007-09-12 at 18:01 +0200, Sven Arvidsson wrote: Well, I have no idea what I can do. Either the toolchain is broken, or you had bad luck and only met cases where the backtrace was corrupted, or bug-buddy is broken, but I can't tell. Maybe this is bug 401482 again, the kernel bug which results in useless traces? I ran into this myself when trying to reproduce bug #446288. I'm using linux-image 2.6.22-4 so I don't think 401482 is to blame. This error message was printed on the terminal; [EMAIL PROTECTED] rhythmbox Multiple segmentation faults occurred; can't display error dialog [EMAIL PROTECTED] ptrace: No such process. /home/sa/27873: No such file or directory. No stack. /usr/share/bug-buddy/gdb-cmd:3: Error in sourced command file: No registers. It haven't happened since, and I seem to get useful backtraces. -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 760BDD22 signature.asc Description: This is a digitally signed message part ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
accerciser 1.0.1-1 MIGRATED to testing
FYI: The status of the accerciser source package in Debian's testing distribution has changed. Previous version: 0.1.5-1 Current version: 1.0.1-1 -- This email is automatically generated; [EMAIL PROTECTED] is responsible. See http://people.debian.org/~henning/trille/ for more information. ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Bug#447963: libgtk2.0-0: upgrade from 2.12.0 to 2.12.1 broke flashplugin-nonfree
Package: libgtk2.0-0 Version: 2.12.1-1 Severity: normal Today I safe-upgraded, which included an upgrade to gtk from 2.12.0-3 to 2.12.1-1. Ever since then, flash freezes the browser shortly after any interaction (button press etc). -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-2-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgtk2.0-0 depends on: ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit ii libc6 2.6.1-6GNU C Library: Shared libraries ii libcairo2 1.4.10-1 The Cairo 2D vector graphics libra ii libcomerr21.40.2-1 common error description library ii libcupsys21.3.2-1Common UNIX Printing System(tm) - ii libfontconfig12.4.2-1.4 generic font configuration library ii libglib2.0-0 2.14.2-1 The GLib library of C routines ii libgnutls13 2.0.1-1the GNU TLS library - runtime libr ii libgtk2.0-common 2.12.1-1 Common files for the GTK+ graphica ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries ii libpango1.0-0 1.18.3-1 Layout and rendering of internatio ii libpng12-01.2.15~beta5-3 PNG library - runtime ii libtiff4 3.8.2-7Tag Image File Format (TIFF) libra ii libx11-6 2:1.0.3-7 X11 client-side library ii libxcomposite11:0.3.2-1+b1 X11 Composite extension library ii libxcursor1 1:1.1.9-1 X cursor management library ii libxdamage1 1:1.1.1-3 X11 damaged region extension libra ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar ii libxfixes31:4.0.3-2 X11 miscellaneous 'fixes' extensio ii libxi62:1.1.3-1 X11 Input extension library ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library ii libxrandr22:1.2.2-1 X11 RandR extension library ii libxrender1 1:0.9.4-1 X Rendering Extension client libra ii zlib1g1:1.2.3.3.dfsg-6 compression library - runtime Versions of packages libgtk2.0-0 recommends: ii hicolor-icon-theme0.10-1 default fallback theme for FreeDes ii libgtk2.0-bin 2.12.1-1 The programs for the GTK+ graphica -- no debconf information ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Bug#447963: ... gtk and non-gtk browsers
Forgot to mention above: This was tested with both Konqueror and Iceweasel. ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Bug#447980: deskbar-applet 2.20 has no in-panel command line :-(
Package: deskbar-applet Version: 2.20.0-1 Severity: grave Deskbar-applet 2.20 has no in-panel command line any more, which for a lot of users is a severe regression from 2.18. It should therefore be kept out of testing (thus Severity: grave). References: Fixing this is *the* top item on the GNOME 2.22 road map: http://live.gnome.org/DeskbarApplet/RoadMap222 Ubuntu Gutsy Gibbon users aren't too happy about this: https://bugs.launchpad.net/bugs/131446 Neither are the users of the GNOME bugzilla: http://bugzilla.gnome.org/show_bug.cgi?id=465658 Regards //Johan ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
Processed: Re: Bug#447980: deskbar-applet 2.20 has no in-panel command line :-(
Processing commands for [EMAIL PROTECTED]: severity 447980 wishlist Bug#447980: deskbar-applet 2.20 has no in-panel command line :-( Severity set to `wishlist' from `grave' quit Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ pkg-gnome-maintainers mailing list pkg-gnome-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
