hi there, (this was also posted to the opencompositing bugzilla, but speaking with devs on irc they suggested i report it here instead). from the CVE entry: GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly reserve input focus, which allows attackers with physical access to take control of the session after entering an Alt-Tab sequence, a related issue to CVE-2007-3069. ubuntu released a patch which seems "wrong" to me: http://launchpadlibrarian.net/10187980/compiz_0.6.0%2Bgit20071008-0ubuntu2.debdiff if you take a look at it i think you should be able to see why. a much more informed and technical discussion takes place in the redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=350271 which states that changes need to be made in compiz handling of (unredirected?) full screen apps to really fix the bug. could you comment on whether or not that's the case? looking in the git repo for master and 0.6, i don't see any changes which seem relevant to this issue. this has also been reported in the debian BTS as: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449108 though no further information is there which isn't mentioned in the RH or ubuntu bug reports.... I'd just like to get some feedback from the compiz devs before i take any action on the debian side. thanks! sean
Fixed in the X server: http://cgit.freedesktop.org/xorg/xserver/commit/?id=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b http://lists.freedesktop.org/archives/xorg/2008-January/032129.html
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.