KDE Project Security Advisory
Title: plasma-workspace, kscreenlocker: Lock screen bypass
Risk Rating: Low
Versions: plasma-workspace < 5.5.0, kscreenlocker < 5.5.5
Author: Martin Gräßlin firstname.lastname@example.org
Date: 09 February 2016
Turning all screens off while the lock screen is shown can result in the screen being unlocked when turning a screen on again.
An unauthorized user might gain access to a locked system. Physical access to the hardware is required.
For plasma-workspace apply the following patches:
5.0 branch: http://commits.kde.org/plasma-workspace/5651785ad6663e2ef4d12a94b0b5f1cb7d40a9a1
5.1 branch: http://commits.kde.org/plasma-workspace/1fe565e5dae31e57d81556b07e7459be14c5d834
5.2 branch: http://commits.kde.org/plasma-workspace/e1036973552a8964dffcbca0743eb1accc14bc56
5.3 branch: http://commits.kde.org/plasma-workspace/de6e19fd8c30166bdbc1333dcd5ef2278f570fa2
5.4 branch: http://commits.kde.org/plasma-workspace/23a9ed7ba9995570227dbcd69c23f009de7dde49
For kscreenlocker upgrade to Plasma 5.5.5 (after 1 March 2016) or apply the following patch:
Thanks to Dirk Weber for finding the issue, the openSUSE community for helping investigating and Martin Gräßlin for fixing the issue.
All versions in the tree are fixed.
(In reply to Michael Palimaka (kensington) from comment #1)
> All versions in the tree are fixed.
No stable version, setting noglsa.
CVE request at http://www.openwall.com/lists/oss-security/2016/02/09/4 . Bug can be closed once that is added