pkg/42338: Potential security issue for x11/gnome-screensaver 2.28.0

[dhgutteridge%sympatico.ca@localhost]

>Number:         42338
>Category:       pkg
>Synopsis:       Potential security issue for x11/gnome-screensaver 2.28.0
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 18 00:55:00 +0000 2009
>Originator:     David H. Gutteridge
>Release:        5.0_STABLE
>Organization:
>Environment:
NetBSD arcusvii.nonus-porta.net 5.0_STABLE NetBSD 5.0_STABLE (ARCUSVII) #3: Sat 
Nov  7 13:07:17 EST 2009  
disciple%arcusvii.nonus-porta.net@localhost:/home/disciple/netbsd-5/usr/src/sys/arch/i386/compile/obj/ARCUSVII
 i386
>Description:
Hello,

According to an Ubuntu bug report[1], there is a bug in gnome-
screensaver 2.28.0 where incorrectly supplied passwords can get
through the password prompt.  There is a patch available through
Ubuntu[2].  (There are also other patches that may be of interest in
that directory.  I was looking into this because I've been having
problems with gnome-screensaver 2.28.0, but they may be the result of a
local build or configuration problem at my end.  I'll report back
separately if they're more broadly relevant.)

1. https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/446395
2. 
http://patches.ubuntu.com/g/gnome-screensaver/extracted/08_gs_dialog_request_to_exit.patch

Regards,

Dave

PS How come this package doesn't use EXTRACT_SUFX=tar.bz2 like most
other Gnome packages?
>How-To-Repeat:
See above.
>Fix:
See above.