Your message dated Fri, 25 Sep 2009 22:29:33 +0000 with message-id <e1mrjid-0000vo...@ries.debian.org> and subject line Bug#539699: fixed in xscreensaver 5.10-2 has caused the Debian Bug report #539699, regarding xscreensaver: unlocked because killed, infinite loop with small screen to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 539699: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539699 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xscreensaver Version: 5.05-3 Severity: grave Tags: security patch Justification: user security hole Reproduce by setting a narrow X resolution, in this case I was running Xnest at 410x384, type something to get the password dialog, but it never comes up. xscreensaver goes into an infinite loop eating memory, and the one time I let it run, the Linux kernel out of memory detector killed xscreensaver unlocking the X server. That's why I marked this with the security tags. Do any hardware and X software automatically pick up and use newly plugged in displays? If so, it might be exploited by, plugging in a custom display device with a small screen, and use this exploit to kill the screen saver get access to the system, then restart the xscreensaver to make detection more difficult. The problem is when mlstring_wrap detects a space will copy the whitespace on to a new line and then truncate the original string for the current line. If in the next iteration the line is still too long, and the current whitespace character is the first one encountered it is in an infinite loop finding the same whitespace character. In my case line_length is 5, and the string is "Please enter your password." This patch will leave the whitespace in the previous line so it can't be found the next iteration. It will also make the previous line too wide, but only the whitespace would be over the border. On a site note it might be a good idea to always put the logo on the right side, or put it on the right side when the width is too small. With the patch at 410 pixels wide the logo takes up almost all of the screen and the text is just visible at the right side. diff --git a/driver/mlstring.c b/driver/mlstring.c index d6df844..a850890 100644 --- a/driver/mlstring.c +++ b/driver/mlstring.c @@ -153,6 +153,8 @@ mlstring_wrap(mlstring *mstring, XFontStruct *font, Dimension width) if (wrap_at == -1) /* No space found, hard wrap */ wrap_at = line_length; + else + wrap_at++; /* Leave the space at the end of the line. */ newml = calloc(1, sizeof(*newml)); if (!newml) /* OOM, don't bother trying to wrap */ -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i586) Kernel: Linux 2.6.29-rc3 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages xscreensaver depends on: ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit ii libc6 2.7-18 GNU C Library: Shared libraries ii libcairo2 1.6.4-7 The Cairo 2D vector graphics libra ii libglade2-0 1:2.6.2-1 library to load .glade files at ru ii libglib2.0-0 2.16.6-2 The GLib library of C routines ii libgtk2.0-0 2.12.12-1~lenny1 The GTK+ graphical user interface ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l ii libpango1.0-0 1.20.5-5 Layout and rendering of internatio ii libsm6 2:1.0.3-2 X11 Session Management library ii libx11-6 2:1.1.5-2 X11 client-side library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library ii libxml2 2.6.32.dfsg-5 GNOME XML library ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library ii libxpm4 1:3.5.7-1 X11 pixmap library ii libxrandr2 2:1.2.3-1 X11 RandR extension library ii libxrender1 1:0.9.4-2 X Rendering Extension client libra ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library ii libxxf86misc1 1:1.0.1-3 X11 XFree86 miscellaneous extensio ii libxxf86vm1 1:1.0.2-1 X11 XFree86 video mode extension l ii xscreensaver-data 5.05-3 data files to be shared among scre Versions of packages xscreensaver recommends: ii libjpeg-progs 6b-14 Programs for manipulating JPEG fil ii perl [perl5] 5.10.0-19 Larry Wall's Practical Extraction ii wamerican [wordlist] 6-2.3 American English dictionary words pn xli | xloadimage <none> (no description available) Versions of packages xscreensaver suggests: ii fortune-mod [fortune] 1:1.99.1-3.1 provides fortune cookies on demand ii iceape-browser [www-bro 1.1.14-1 Iceape Navigator (Internet browser ii iceweasel [www-browser] 3.0.6-1 lightweight web browser based on M ii konqueror [www-browser] 4:3.5.9.dfsg.1-6 KDE's advanced file manager, web b ii lynx-cur [www-browser] 2.8.7dev9-2.1 Text-mode WWW Browser with NLS sup ii streamer 3.95.dfsg.1-8 television capture tool (images/mo pn xdaliclock <none> (no description available) pn xfishtank <none> (no description available) pn xscreensaver-gl <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---Source: xscreensaver Source-Version: 5.10-2 We believe that the bug you reported is fixed in the latest version of xscreensaver, which is due to be installed in the Debian FTP archive: xscreensaver-data-extra_5.10-2_i386.deb to pool/main/x/xscreensaver/xscreensaver-data-extra_5.10-2_i386.deb xscreensaver-data_5.10-2_i386.deb to pool/main/x/xscreensaver/xscreensaver-data_5.10-2_i386.deb xscreensaver-gl-extra_5.10-2_i386.deb to pool/main/x/xscreensaver/xscreensaver-gl-extra_5.10-2_i386.deb xscreensaver-gl_5.10-2_i386.deb to pool/main/x/xscreensaver/xscreensaver-gl_5.10-2_i386.deb xscreensaver_5.10-2.diff.gz to pool/main/x/xscreensaver/xscreensaver_5.10-2.diff.gz xscreensaver_5.10-2.dsc to pool/main/x/xscreensaver/xscreensaver_5.10-2.dsc xscreensaver_5.10-2_i386.deb to pool/main/x/xscreensaver/xscreensaver_5.10-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 539...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jose Luis Rivas <ghost...@debian.org> (supplier of updated xscreensaver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Format: 1.8 Date: Fri, 25 Sep 2009 16:52:44 -0430 Source: xscreensaver Binary: xscreensaver xscreensaver-data xscreensaver-data-extra xscreensaver-gl xscreensaver-gl-extra Architecture: source i386 Version: 5.10-2 Distribution: unstable Urgency: low Maintainer: Jose Luis Rivas <ghost...@debian.org> Changed-By: Jose Luis Rivas <ghost...@debian.org> Description: xscreensaver - Automatic screensaver for X xscreensaver-data - data files to be shared among screensaver frontends xscreensaver-data-extra - data files to be shared among screensaver frontends xscreensaver-gl - GL(Mesa) screen hacks for xscreensaver xscreensaver-gl-extra - GL(Mesa) screen hacks for xscreensaver Closes: 314553 357297 481749 486603 495633 504424 505379 539699 539937 544352 544837 Changes: xscreensaver (5.10-2) unstable; urgency=low . * Updated my email on debian/copyright. * Added README.hacking to debian/xscreensaver.docs (Closes: #544352). * Included a hook for Xsession thanks to Y Giridhar Appaji Nag <deb...@appaji.net> (Closes: #357297). * Fixed the changelog. . xscreensaver (5.10-1) unstable; urgency=low . [ Tormod Volden ] * Drop patch applied upstream: - 12_upstream_fix_typo_in_de.po.patch * Removed hyperball and hypercube hacks, retired upstream . [ Jose Luis Rivas ] * Updated Standards-Version to 3.8.3 wo/ any changes needed. * Created debian/README.source. * Added patch 20_hack_flurry_man_name for NAME section of manpage for flurry hack. * Changed my email from ghostba...@gmail.com to ghost...@debian.org on Maintainer field. * Acknoledging nmu for 5.05. . [ Tormod Volden ] * New Upstream Version - Fixed intermittent failure in xscreensaver-command Thanks to contribution by James Vega (Closes: 486603) - Fixed another potential RANDR crash * Drop patches applied upstream: - 11_upstream_phosphor_segfault_win_size.patch - 63_upstream_blinkbox-man.patch - 64_upstream_topblock-man.patch - 65_upstream_eruption-man.patch - 66_upstream_truchet-man.patch - 67_upstream_metaballs-man.patch - 70_upstream_fix_local_screenlock_bypass.patch (Closes: #539699) * Do not ship juggle any longer (merged with juggler3d) * Ship new hacks: rubikblocks and surfaces * 80_Makefile_in-clean-fix.patch: Workaround for make distclean failure in some situations, probably autoconf 2.64 issue * Ship the new "photopile" hack * Delete two unused patches (52_ and 60_) from source * Fix location of Norwegian Bokmål locale (no -> nb) * Do not ship these hacks any longer (retired upstream): bubbles, critical, flag, forest, glforestfire, lmorph, laser, lightning, lisa, lissie, rotor, sphere, spiral, t3d, vines, whirlygig, worm, mismunch * 10_upstream_skip_retired_hacks.patch: Fix hacks/Makefile.in and hacks/glx/Makefile.in so that retired hacks are not built * debian/control: Update FSF address * Update to debhelper compat 7 * Fix typo in package description (Closes: #504424) * Add missing hacks to package description (Closes: #481749) * debian/control: Breaks gnome-screensaver < 2.26 since we are using full paths in the desktop files * Split debian/patches/20_hacks_Makefile.patch into new 20_hacks_man_section.patch and 20_hacks_maze_xpm_libs.patch * debian/patches/20_skip_install-pam.patch: Do not run install-pam since we use dh_installpam * 11_upstream_phosphor_segfault_win_size.patch: phospor hack segfaults on window resize (Closes: #505379) * debian/split-hacks.{sh,config}: Configure which hacks go in which packages instead of manually editing *.files (Closes: #539937) * Refresh 50_driver_screensaver-properties-desktop.patch so that we do not change the .desktop file Category (Closes: #544837) . [ James Vega ] * debian/rules: Fix sequential build invokations . [ Jose Luis Rivas ] * debian/copyright: Major update (not 100% yet) * Move jigsaw from xscreensaver-data-extra.files to xscreensaver-gl-extra.files since it now is a glx hack * Screensavers that uses images now rotates according to EXIF data since this new upstream version (Closes: #314553) * Reinstate flurry on xscreensaver-gl-extra since crashes were not reproducible (Closes: #495633) Checksums-Sha1: b2e8f8197aa50491f3f389813694b65f522e5d0c 1746 xscreensaver_5.10-2.dsc e0a838a8020f178fcf46a49c949d56e67b5d88bf 5576745 xscreensaver_5.10.orig.tar.gz bee9d0a48f3fe3e87b18000a07bd47cad37062bc 72926 xscreensaver_5.10-2.diff.gz 648718771f0e50ac4c7074d0a143f237f9a4f12f 733952 xscreensaver_5.10-2_i386.deb fc46e7d949050322f7b6505eae5bb489638a1bc6 530308 xscreensaver-data_5.10-2_i386.deb 1fa691d08b31ce62fb91d876fe36b3e726072c06 2577674 xscreensaver-data-extra_5.10-2_i386.deb 97f5416c6a0db9f2a362329d8be75eea58253dab 1982162 xscreensaver-gl_5.10-2_i386.deb af265b8bf7b85c9a240502d1e8f803d35310ed7c 2125334 xscreensaver-gl-extra_5.10-2_i386.deb Checksums-Sha256: a0564710552b78e6500c8cc8a420c1e982b96bee5da33f7fa84b0c6a45bafb40 1746 xscreensaver_5.10-2.dsc 4aa216caa2b9556db9652558eb84ab33690f6f14475036e2bf22c23b7c79e61f 5576745 xscreensaver_5.10.orig.tar.gz 306573995c2545c9a3ad0f6bf00297b61ddc456e79c572167b4d619410bc8bd8 72926 xscreensaver_5.10-2.diff.gz b803af2c24c2f0e79027a295e687bef07c4c145cb315523f0fdc3e873ce2798a 733952 xscreensaver_5.10-2_i386.deb 64421c990219b43ef0b0935de6861d4a1763973993271de093c0c2cfc128f8b3 530308 xscreensaver-data_5.10-2_i386.deb 69c0cf617ce383862a24d7a1f741ed1777e81354bdc8e6220bf2ce4bd098f640 2577674 xscreensaver-data-extra_5.10-2_i386.deb 489d5de6894df220e83bcaf37593a7affa76ab8235eb761a3d903e7694aadb89 1982162 xscreensaver-gl_5.10-2_i386.deb b59329dd25c6afdb700de99854787594135445fd36d3c05bda33a6c01f2d7566 2125334 xscreensaver-gl-extra_5.10-2_i386.deb Files: fe4c93641add857367983fb110bc55a9 1746 x11 optional xscreensaver_5.10-2.dsc adcf0a2f156c8bdeec917356d0013acc 5576745 x11 optional xscreensaver_5.10.orig.tar.gz 4797917185850edcace7baebdc2da515 72926 x11 optional xscreensaver_5.10-2.diff.gz 7d9bd31dab2c37e28d0a98a3d673580a 733952 x11 optional xscreensaver_5.10-2_i386.deb f128553c07ab8491b6860ed25f0286c3 530308 x11 optional xscreensaver-data_5.10-2_i386.deb 6745986a1556a146bcf644042b39bd07 2577674 x11 optional xscreensaver-data-extra_5.10-2_i386.deb 82e5d7a2f91ca797d8f97bf0676fdc26 1982162 x11 optional xscreensaver-gl_5.10-2_i386.deb 810cbd53cd9c6a26895f71df8aea477e 2125334 x11 optional xscreensaver-gl-extra_5.10-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREDAAYFAkq9N2wACgkQOKCtW8rKsRgAlwCghP6SPeLyyCFcZcqrd0uKZX21 iLQAoK3Fs7HMJ52WuZEXUYdE81RDvHoc =U68D -----END PGP SIGNATURE-----
--- End Message ---
