XScreenSaver LDAP Authentication Error Lets Physically Local Users Bypass the Password Feature
|
|
SecurityTracker Alert ID: 1017996
|
|
SecurityTracker URL: http://securitytracker.com/id?1017996
|
|
CVE Reference: CVE-2007-1859
(Links to External Site)
|
Date: May 2 2007
|
Impact: User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 5.02
|
Description: A vulnerability was reported in XScreenSaver. A physically local user can bypass the password authentication feature.
When the target system uses a remote LDAP directory service for authentication and the LDAP service is unavailable for a long period
of time, a physically local user can unlock the screen using an arbitrary password.
The vulnerability is due to a flaw in the
way XScreenSaver parses a getpwuid(getuid()) function call.
Alex Yamauchi reported this vulnerability.
|
Impact: A physically local user can bypass the screen saver password feature.
|
Solution: The vendor has issued a fixed version (5.02).
|
Vendor URL: www.jwz.org/xscreensaver/ (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 2 May 2007 13:43:30 -0400
Subject: CVE-2007-1859 xscreensaver authentication bypass
|
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237003
CVE-2007-1859
|
|
