Subject: [USN-669-1] gnome-screensaver vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
To: [email protected]
Cc: [email protected], [email protected]
X-Original-To: [email protected]
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -4.1
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.69.0.134
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-4IVhQM1uIY3V+c53vAYj"
Date: Tue, 11 Nov 2008 15:22:31 -0500
Message-Id: <1226434951.30932.13.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-4IVhQM1uIY3V+c53vAYj
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-669-1 November 11, 2008
gnome-screensaver vulnerabilities
CVE-2007-6389, CVE-2008-0887
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
gnome-screensaver 2.14.3-0ubuntu1.1
Ubuntu 7.10:
gnome-screensaver 2.20.0-0ubuntu4.3
After a standard system upgrade you need to restart all user sessions on
your computer to effect the necessary changes.
Details follow:
It was discovered that the notify feature in gnome-screensaver could let
a local attacker read the clipboard contents of a locked session by
using Ctrl-V. (CVE-2007-6389)
Alan Matsuoka discovered that gnome-screensaver did not properly handle
network outages when using a remote authentication service. During a
network interruption, or by disconnecting the network cable, a local
attacker could gain access to locked sessions. (CVE-2008-0887)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1.diff.gz
Size/MD5: 14632 858a17bd71cf1969f89c9f7248840e0b
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1.dsc
Size/MD5: 1515 100a66b14d50912bd73b49b6915d849b
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3.orig.tar.gz
Size/MD5: 2122211 9c95c9d0ad4c44a215546dd4b95992b0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1_amd64.deb
Size/MD5: 1502090 d5bfdd6505afe949c6414fb01dab0bb9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1_i386.deb
Size/MD5: 1483824 bcb42c8bb0a73fbc06c5a465a75fa299
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1_powerpc.deb
Size/MD5: 1499086 d7e65422d70d2ff6405b0472f03b1c1f
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.14.3-0ubuntu1.1_sparc.deb
Size/MD5: 1486326 bff6d9f48780721f2621a0c6895aa143
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3.diff.gz
Size/MD5: 25605 044d070d183f0e073dc1ac81945b0cc5
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3.dsc
Size/MD5: 1695 472b10fdbd46177cbe20b58350265d64
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0.orig.tar.gz
Size/MD5: 2320018 db71d89c66fa3a96b3b276403b5bb723
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3_amd64.deb
Size/MD5: 1587388 6655526c8225d3b139eb36c1cbbf948a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3_i386.deb
Size/MD5: 1570386 456e6a56f46efac8de675aa906bf70c2
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/g/gnome-screensaver/gnome-screensaver=
_2.20.0-0ubuntu4.3_lpia.deb
Size/MD5: 1569166 c7f1ce8eeee0127cd557a78cf9591b36
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3_powerpc.deb
Size/MD5: 1606010 a65b33b3a95a7d23bcbdd5e894785852
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-s=
creensaver_2.20.0-0ubuntu4.3_sparc.deb
Size/MD5: 1576698 1566098fa61738a75ecaf0c98886eac1
--=-4IVhQM1uIY3V+c53vAYj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkkZ6YMACgkQLMAs/0C4zNqEIQCdEUWEt3CYBpeUaE+twytiUGPA
g/gAnRoDkRs4ytcBYz2oK0i1G2Exq61n
=WxiA
-----END PGP SIGNATURE-----
--=-4IVhQM1uIY3V+c53vAYj--