Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 399485

Summary: x11-base/xorg-server-1.11*: screensaver/screenlocker security bug
Product: Gentoo Linux Reporter: i.Dark_Templar <idarktemplar>
Component: [OLD] UnspecifiedAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: normal CC: idarktemplar
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description i.Dark_Templar 2012-01-20 10:01:28 UTC 
Security bug allows to kill screenlocker used to lock screen and ask password to unlock, if a preson has physical access to keyboard. This feature (as in links below) was introduced and then removed in 2008, in 2011 it was reintroduced, but not documented and turned on by default.

Reproducible: Always

Steps to Reproduce:
1. use screensaver/screenlocker, which asks password to unlock (for example, KDE or Gnome's ones)
2. press Ctrl + Alt + * (the star from Numpad)
Actual Results:  
screensaver/screenlocker gets killed

Expected Results:  
screensaver/screenlocker should not get killed

https://bugs.archlinux.org/task/28003
http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up/

Please fix this bug and mask xorg-server-1.11 while fixing or waiting for upstream fix (if there is going to be one).
I didn't test it with xorg-server-1.10, but previous links says it's unaffected. Bug tested with xorg-server-1.11.2-r2.
Comment 1 Rafał Mużyło 2012-01-20 10:07:10 UTC 

*** This bug has been marked as a duplicate of bug 399347 ***