oss-security - CVE request: xscreensaver aborts when unpluging second monitor cable when asking password

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <562B9FE6.605@fedoraproject.org>
Date: Sun, 25 Oct 2015 00:12:38 +0900
From: Mamoru TASAKA <mtasaka@...oraproject.org>
To: oss-security@...ts.openwall.com
Cc: secalert@...hat.com, Mamoru Tasaka <mtasaka@...oraproject.org>
Subject: CVE request: xscreensaver aborts when unpluging second monitor cable
 when asking password

Hello, all:

I received a Fedora bug report
https://bugzilla.redhat.com/show_bug.cgi?id=1274452
that on XFCE,

* using VGA and HDMI dual monitor (for example)
* lock the screen with $ xscreensaver-command -lock
* move mouse, password dialog appears
* during the time password dialog still appears, unplug HDMI cable

then xscreensaver abort()s (actually it abort()s,
not segv, however I guess it is not important)
(at the line 420 in xscreensaver-5.33/driver/subprocs.c)

100% reproducible. This issue is already in public as
https://twitter.com/Thaolia/status/656823859304398848

I and the upstream developer already tracked down the cause
and the upstream send me a patch, which seems to be
working. hopefully the upstream
will release the new version soon.

Please assign a CVE ID for this.

Best regards,
Mamoru TASAKA <mtasaka@...oraproject.org>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.