399485 – x11-base/xorg-server-1.11*: screensaver/screenlocker security bug

Bug 399485 - x11-base/xorg-server-1.11*: screensaver/screenlocker security bug

Summary: x11-base/xorg-server-1.11*: screensaver/screenlocker security bug

Status:	RESOLVED DUPLICATE of bug 399347

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-01-20 10:01 UTC by i.Dark_Templar
Modified:	2012-01-20 10:07 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description i.Dark_Templar 2012-01-20 10:01:28 UTC

Security bug allows to kill screenlocker used to lock screen and ask password to unlock, if a preson has physical access to keyboard. This feature (as in links below) was introduced and then removed in 2008, in 2011 it was reintroduced, but not documented and turned on by default.

Reproducible: Always

Steps to Reproduce:
1. use screensaver/screenlocker, which asks password to unlock (for example, KDE or Gnome's ones)
2. press Ctrl + Alt + * (the star from Numpad)
Actual Results:  
screensaver/screenlocker gets killed

Expected Results:  
screensaver/screenlocker should not get killed

https://bugs.archlinux.org/task/28003
http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up/

Please fix this bug and mask xorg-server-1.11 while fixing or waiting for upstream fix (if there is going to be one).
I didn't test it with xorg-server-1.10, but previous links says it's unaffected. Bug tested with xorg-server-1.11.2-r2.

Comment 1 Rafał Mużyło 2012-01-20 10:07:10 UTC


*** This bug has been marked as a duplicate of bug 399347 ***