Bug 13783

Summary: CVE-2007-3920: improper focus handling leads to screensaver bypass
Product: xorg Reporter: sean finney <seanius>
Component: App/compizAssignee: David Reveman <reveman>
Status: RESOLVED NOTOURBUG QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: git   
Hardware: All   
OS: All   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3920
Whiteboard:
i915 platform: i915 features:

Description sean finney 2007-12-22 06:15:56 UTC 
hi there,

(this was also posted to the opencompositing bugzilla, but speaking with devs on irc they suggested i report it here instead).

from the CVE entry:

GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly
reserve input focus, which allows attackers with physical access to take
control of the session after entering an Alt-Tab sequence, a related issue to
CVE-2007-3069. 

ubuntu released a patch which seems "wrong" to me:

http://launchpadlibrarian.net/10187980/compiz_0.6.0%2Bgit20071008-0ubuntu2.debdiff

if you take a look at it i think you should be able to see why.  a much more
informed and technical discussion takes place in the redhat bug report:

https://bugzilla.redhat.com/show_bug.cgi?id=350271

which states that changes need to be made in compiz handling of (unredirected?)
full screen apps to really fix the bug.  could you comment on whether or not
that's the case?  looking in the git repo for master and 0.6, i don't see any
changes which seem relevant to this issue.

this has also been reported in the debian BTS as:

 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449108

though no further information is there which isn't mentioned in the RH or
ubuntu bug reports.... I'd just like to get some feedback from the compiz devs
before i take any action on the debian side.


thanks!

    sean

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.