Ubuntu
xscreensaver package

Additional Distro Versions Vuln to usn-2789-1

Bug #1512931 reported by Nick
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xscreensaver (Debian)
Fix Released
Unknown
xscreensaver (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Not sure if you're aware, but I'm able to replicate usb-2789-1 on
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=15.04
DISTRIB_CODENAME=vivid
DISTRIB_DESCRIPTION="Ubuntu 15.04"

Current release in vivid:
||/ Name Version Architecture Description
+++-======================-================-================-=================================================
ii xscreensaver 5.30-1ubuntu1 amd64 Screensaver daemon and frontend for X11

The bug page only lists 12.04LTS as being vulnerable.

I was able to reproduce by having a dual screen (desktop) setup, and unplugging the *secondary* (as according to display settings), whilst the xscreensaver password unlock dialog was open.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, we're aware. In Ubuntu 15.04, xscreensaver is in Universe, which means it is community maintained and doesn't get official security updates.

information type: Private Security → Public Security
Changed in xscreensaver (Ubuntu):
status: New → Incomplete
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for xscreensaver (Ubuntu) because there has been no activity for 60 days.]

Changed in xscreensaver (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Tormod Volden (tormodvolden) wrote :

There are patches available in the Debian bug tracker (5.15 is a bit different than the newer versions). I believe the issue is still present in Trusty, Vivid and Wily, although it has been fixed in Precise.

Changed in xscreensaver (Ubuntu):
status: Expired → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in xscreensaver (Debian):
status: Unknown → Fix Released
Amr Ibrahim (amribrahim1987)
Changed in xscreensaver (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.