Vulnerability Details : CVE-2010-0732
gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times.
Exploit prediction scoring system (EPSS) score for CVE-2010-0732
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 26 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-0732
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.2
|
MEDIUM | AV:L/AC:H/Au:N/C:C/I:C/A:C |
1.9
|
10.0
|
NIST |
CWE ids for CVE-2010-0732
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-0732
-
https://bugzilla.redhat.com/show_bug.cgi?id=565527
565527 – (CVE-2010-0732) CVE-2010-0732 gnome-screensaver: Race condition between shaking the unlock dialog and clearing the screenIssue Tracking;Patch
-
https://bugzilla.gnome.org/show_bug.cgi?id=598476
Bug 598476 – gnome-screensaver crashes when entering password incorrectly 5 timesIssue Tracking;Patch
-
http://www.openwall.com/lists/oss-security/2010/03/16/9
oss-security - Re: Re: CVE Request: gnome-screensaver termination by pressing "Enter"Mailing List
-
http://git.gnome.org/browse/gnome-screensaver/commit/?h=gnome-2-28&id=98f8a22412cf388217fd5b88915eadd274d68520
Work around x errors by asking dialog to die on cancel (98f8a224) · Commits · Archive / gnome-screensaver · GitLabVendor Advisory
-
http://git.gnome.org/browse/gtk+/commit/?id=0748cf563d0d0d03001a62589f13be16a8ec06c1
Never do implicit paints for foreign windows (0748cf56) · Commits · GNOME / gtk · GitLabPatch
-
http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-2-Update-928580.html
Gnome-Bildschirmsperre in OpenSuse-Linux wirkungslos [2. Update] | heise onlineThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:109
mandriva.comBroken Link
-
http://git.gnome.org/browse/gnome-screensaver/commit/?id=ab08cc93f2dc6223c8c00bfa1ca4f2d89069dbe0
Work around x errors by asking dialog to die on cancel (ab08cc93) · Commits · Archive / gnome-screensaver · GitLabPatch
-
http://secunia.com/advisories/39317
Sign inBroken Link
-
https://bugs.edge.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/446395
Bug #446395 “Screen lock unlocks after 5 wrong attempts” : Bugs : gnome-screensaver package : UbuntuThird Party Advisory
-
http://www.securityfocus.com/bid/38211
gnome-screensaver Unlock Dialog Race Condition Lock Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://ftp.gnome.org/pub/gnome/sources/gtk+/2.18/gtk+-2.18.5.news
Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:008Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2010/03/05/2
oss-security - Re: CVE Request: gnome-screensaver termination by pressing "Enter"Mailing List;Patch
-
http://www.openwall.com/lists/oss-security/2010/02/12/1
oss-security - CVE Request: gnome-screensaver termination by pressing "Enter"Mailing List
Products affected by CVE-2010-0732
- cpe:2.3:a:gnome:screensaver:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gtk:*:*:*:*:*:*:*:*