XScreenSaver LDAP Authentication Error Lets Physically Local Users Bypass the Password Feature
|
SecurityTracker Alert ID: 1017996 |
SecurityTracker URL: http://securitytracker.com/id/1017996
|
CVE Reference:
CVE-2007-1859
(Links to External Site)
|
Date: May 2 2007
|
Impact:
User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 5.02
|
Description:
A vulnerability was reported in XScreenSaver. A physically local user can bypass the password authentication feature.
When the target system uses a remote LDAP directory service for authentication and the LDAP service is unavailable for a long period of time, a physically local user can unlock the screen using an arbitrary password.
The vulnerability is due to a flaw in the way XScreenSaver parses a getpwuid(getuid()) function call.
Alex Yamauchi reported this vulnerability.
|
Impact:
A physically local user can bypass the screen saver password feature.
|
Solution:
The vendor has issued a fixed version (5.02).
|
Vendor URL: www.jwz.org/xscreensaver/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|