Bug 13783 - CVE-2007-3920: improper focus handling leads to screensaver bypass
Summary: CVE-2007-3920: improper focus handling leads to screensaver bypass
Alias: None
Product: xorg
Classification: Unclassified
Component: App/compiz (show other bugs)
Version: git
Hardware: All All
: medium normal
Assignee: David Reveman
QA Contact: Xorg Project Team
URL: http://cve.mitre.org/cgi-bin/cvename....
Depends on:
Reported: 2007-12-22 06:15 UTC by sean finney
Modified: 2008-02-26 00:43 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description sean finney 2007-12-22 06:15:56 UTC
hi there,

(this was also posted to the opencompositing bugzilla, but speaking with devs on irc they suggested i report it here instead).

from the CVE entry:

GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly
reserve input focus, which allows attackers with physical access to take
control of the session after entering an Alt-Tab sequence, a related issue to

ubuntu released a patch which seems "wrong" to me:


if you take a look at it i think you should be able to see why.  a much more
informed and technical discussion takes place in the redhat bug report:


which states that changes need to be made in compiz handling of (unredirected?)
full screen apps to really fix the bug.  could you comment on whether or not
that's the case?  looking in the git repo for master and 0.6, i don't see any
changes which seem relevant to this issue.

this has also been reported in the debian BTS as:


though no further information is there which isn't mentioned in the RH or
ubuntu bug reports.... I'd just like to get some feedback from the compiz devs
before i take any action on the debian side.



Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.