oss-sec mailing list archives

CVE Request -- gnome-desktop3: Switching users dialog does not lock the screen for the original user account

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 19 Apr 2011 19:39:45 +0200


Hello Josh, Steve, vendors,

  it has been reported that using of Gnome upon using of "Switch user" dialog, log in into a
new user account (user2), logout of new user account (user2) the desktop is returned to the
original user account (for user1) without prompting for a password. A locally proximate
attacker could use this flaw to access resources, which should be otherwise protected
by authentication.

Original report:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=697199

Upstream bug report:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=648234

Could you allocate a CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- gnome-desktop3: Switching users dialog does not lock the screen for the original user account Jan Lieskovsky (Apr 19)
- Re: CVE Request -- gnome-desktop3: Switching users dialog does not lock the screen for the original user account Josh Bressers (Apr 20)
  - Re: CVE Request -- gnome-desktop3: Switching users dialog does not lock the screen for the original user account Huzaifa Sidhpurwala (May 02)