Bug 119628 - VUL-0: powersave -U is working for non-desktop user
Summary: VUL-0: powersave -U is working for non-desktop user
Status: RESOLVED FIXED
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Mobile Devices (show other bugs)
Version: Final
Hardware: Other All
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard: CVE-2005-4778: CVSS v2 Base Score: 2....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-30 11:30 UTC by Stefan Behlert
Modified: 2009-10-13 21:38 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behlert 2005-09-30 11:30:14 UTC 
look for a machine where someone is working on a desktop. Login remote. 
Type 'powersave -U'. 
Hear the desktop user scream when his machine goes into suspend. 
powersave -U/-u should only work for X-user.
Comment 1 Holger Macht 2005-09-30 11:43:19 UTC 
We are checking this currently.
Comment 2 Timo Hoenig 2005-09-30 12:27:20 UTC 
This is caused due to missing entries in /etc/dbus-1/system.d/powersave.conf. 
We've prepared a fix.

Andreas, do we need a new SWAMP id (since it is a security issue) or can we use 
SWAMP id 2419?
Comment 3 Andreas Jaeger 2005-09-30 12:45:01 UTC 
Use SWAMP ID 2419 - and talk to the security-team.  They should release this
and change 2419 for their needs.
Comment 4 Marcus Meissner 2005-09-30 17:02:34 UTC 
after you submitted the fixed package, please jsut assign the bug to us.  
 
I take it that only 10.0 is affected?
Comment 5 Holger Macht 2005-10-03 18:24:14 UTC 
package and patchinfo submitted.

Yes, only 10.0 is affected.
Comment 6 Marcus Meissner 2005-10-05 14:25:01 UTC 
updates released.
Comment 7 Marcus Meissner 2006-04-18 14:45:33 UTC 
CVE-2005-4778

The powersave daemon in SUSE Linux 10.0 before 20051007 has an
unspecified "configuration problem," which allows local users to
suspend the computer and possibly perform certain other unauthorized
actions.
Comment 8 Thomas Biege 2009-10-13 21:38:07 UTC 
CVE-2005-4778: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)