Gentoo Archives: gentoo-announce

From: Sergey Popov <pinkbyte@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201309-03 ] Xlockmore: Denial of Service
Date: Mon, 02 Sep 2013 09:30:39
Message-Id: 522459F9.4050702@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201309-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Xlockmore: Denial of Service
9 Date: September 02, 2013
10 Bugs: #255229, #440776, #477328
11 ID: 201309-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow in Xlockmore might allow remote attackers to cause a
19 Denial of Service.
20
21 Background
22 ==========
23
24 Xlockmore is just another screensaver application for X.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 x11-misc/xlockmore < 5.43 >= 5.43
33
34 Description
35 ===========
36
37 A Denial of Service flaw was found in the way Xlockmore performed
38 the passing of arguments to the underlying localtime() call, when the
39 'dlock' mode was used.
40
41 Impact
42 ======
43
44 A local attacker could possibly cause a Denial of Service condition and
45 potentially obtain unauthorized access to the graphical session,
46 previously locked by another user.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All Xlockmore users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=x11-misc/xlockmore-5.43"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2012-4524
65 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4524
66 [ 2 ] CVE-2013-4143
67 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4143
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-201309-03.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users' machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 https://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2013 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature