oss-sec mailing list archives
CVE request: pyxtrlock
From: Leon Weber <leon () leonweber de>
Date: Wed, 25 Sep 2013 21:28:46 +0200
Hi, two security issues were found and fixed in pyxtrlock[1], a lightweight X screen locker. • A mis-spelled variable name could cause the program to crash and thus unlock the screen without requiring a password if the erroneous code line was reached, which could be achieved by correctly timing multiple authentication failures. This was found by Paul Lhussiez and reported to us at <https://github.com/leonnnn/pyxtrlock/issues/8> Commit containing the fix, and security release announcement: <https://github.com/leonnnn/pyxtrlock/commit/297a697ce1543451166a9c85ba1e0dd76fa4ae10> <https://zombofant.net/blog/2013/8/pyxtrlock-release-0.1-130825> All versions before release 0.1 or git commit 297a697 are vulnerable. • Incorrect return value checking after calling XCB library functions led to the program seemingly starting up normally, but leaving the keyboard or mouse not actually locked in case the xcb_grab_*() functions returned an error. There would be no indication for the user that one of the input devices is not locked. Commit containing the fix, and security release announcement: <https://github.com/leonnnn/pyxtrlock/commit/50a8522392809a5688638d074fb9f84264c8b58d> <https://zombofant.net/blog/2013/9/pyxtrlock-release-0.2-130909> All versions before release 0.2 or git commit 50a8522 are vulnerable. Could CVE-IDs be assigned for these, please? -- Leon. (pyxtrlock maintainer) [1]: <https://zombofant.net/hacking/pyxtrlock>
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: pyxtrlock Leon Weber (Sep 25)