[Secure-testing-team] [Secure-testing-commits] r12530 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Mon Aug 10 04:12:32 UTC 2009
On Sun, 9 Aug 2009 13:55:11 +0000 Nico Golde wrote:
> Author: nion
> Date: 2009-08-09 13:55:11 +0000 (Sun, 09 Aug 2009)
> New Revision: 12530
>
> Modified:
> data/CVE/list
> Log:
> adjust xscreensaver impact, corner case
>
> Modified: data/CVE/list
> ===================================================================
> --- data/CVE/list 2009-08-09 13:53:09 UTC (rev 12529)
> +++ data/CVE/list 2009-08-09 13:55:11 UTC (rev 12530)
> @@ -27,7 +27,7 @@
> CVE-2009-XXXX [gnudips: remote priviledge escalation]
> - gnudips <unfixed> (medium; bug #539452)
> CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution video devices]
> - - xscreensaver <unfixed> (high; bug #539699)
> + - xscreensaver <unfixed> (low; bug #539699)
> CVE-2009-XXXX [php5: remote information disclosure]
> - php5 <unfixed> (medium; bug #540605)
> TODO: determine affected versions
i must respectfully disagree. from a software point-of-view, yes, this
is a problem with specific corner case for some random special screen
resolution.
however, from an attackers perspective, this kind of weakness is a
goldmine. simply gain physical access your target (which, yes, may be
the hard part), plug in your misbehaving video device, and you're in.
its just way too easy.
also from the 'severity levels' section of the narrative_introduction:
high: a typical, exploitable security problem, which you'll really
like to fix...
this is very exploitable, and hence should be fixed quickly. i'd also
like to think of it from a regular user's perspective. i.e. if this
were to be prominantly discussed in an article or magazine, how much of
a reaction would there be? how much would it concern the readers that
there is a known problem like this with their system that they can do
nothing to prevent?
mike
More information about the Secure-testing-team
mailing list