On Sun, 9 Aug 2009 13:55:11 +0000 Nico Golde wrote: > Author: nion > Date: 2009-08-09 13:55:11 +0000 (Sun, 09 Aug 2009) > New Revision: 12530 > > Modified: > data/CVE/list > Log: > adjust xscreensaver impact, corner case > > Modified: data/CVE/list > =================================================================== > --- data/CVE/list 2009-08-09 13:53:09 UTC (rev 12529) > +++ data/CVE/list 2009-08-09 13:55:11 UTC (rev 12530) > @@ -27,7 +27,7 @@ > CVE-2009-XXXX [gnudips: remote priviledge escalation] > - gnudips <unfixed> (medium; bug #539452) > CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution > video devices] > - - xscreensaver <unfixed> (high; bug #539699) > + - xscreensaver <unfixed> (low; bug #539699) > CVE-2009-XXXX [php5: remote information disclosure] > - php5 <unfixed> (medium; bug #540605) > TODO: determine affected versions
i must respectfully disagree. from a software point-of-view, yes, this is a problem with specific corner case for some random special screen resolution. however, from an attackers perspective, this kind of weakness is a goldmine. simply gain physical access your target (which, yes, may be the hard part), plug in your misbehaving video device, and you're in. its just way too easy. also from the 'severity levels' section of the narrative_introduction: high: a typical, exploitable security problem, which you'll really like to fix... this is very exploitable, and hence should be fixed quickly. i'd also like to think of it from a regular user's perspective. i.e. if this were to be prominantly discussed in an article or magazine, how much of a reaction would there be? how much would it concern the readers that there is a known problem like this with their system that they can do nothing to prevent? mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
