SB2012071208 - Permissions, Privileges, and Access Controls in tools.suckless slock
Published: July 12, 2012 Updated: August 11, 2020
Security Bulletin ID
SB2012071208
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1620)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
slock 0.9 does not properly handle the XRaiseWindow event when the screen is locked, which might allow physically proximate attackers to obtain sensitive information by pressing a button, which reveals the desktop and active windows.
Remediation
Install update from vendor's website.
References
- http://hg.suckless.org/slock/rev/891a4984aba6
- http://secunia.com/advisories/48700
- http://www.openwall.com/lists/oss-security/2012/04/06/1
- http://www.openwall.com/lists/oss-security/2012/04/06/2
- http://www.osvdb.org/81035
- http://www.securityfocus.com/bid/52922
- https://bugs.gentoo.org/show_bug.cgi?id=401645
- https://bugzilla.redhat.com/show_bug.cgi?id=786310
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74666