(this was also posted to the opencompositing bugzilla, but speaking with devs on irc they suggested i report it here instead).
from the CVE entry:
GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly
reserve input focus, which allows attackers with physical access to take
control of the session after entering an Alt-Tab sequence, a related issue to
ubuntu released a patch which seems "wrong" to me:
if you take a look at it i think you should be able to see why. a much more
informed and technical discussion takes place in the redhat bug report:
which states that changes need to be made in compiz handling of (unredirected?)
full screen apps to really fix the bug. could you comment on whether or not
that's the case? looking in the git repo for master and 0.6, i don't see any
changes which seem relevant to this issue.
this has also been reported in the debian BTS as:
though no further information is there which isn't mentioned in the RH or
ubuntu bug reports.... I'd just like to get some feedback from the compiz devs
before i take any action on the debian side.
Fixed in the X server: