KDE Project Security Advisory ============================= Title: plasma-workspace, kscreenlocker: Lock screen bypass Risk Rating: Low CVE: Platforms: X11 Versions: plasma-workspace < 5.5.0, kscreenlocker < 5.5.5 Author: Martin Gräßlin mgraesslin@kde.org Date: 09 February 2016 Overview ======== Turning all screens off while the lock screen is shown can result in the screen being unlocked when turning a screen on again. Impact ====== An unauthorized user might gain access to a locked system. Physical access to the hardware is required. Workaround ========== None Solution ======== For plasma-workspace apply the following patches: 5.0 branch: http://commits.kde.org/plasma-workspace/5651785ad6663e2ef4d12a94b0b5f1cb7d40a9a1 5.1 branch: http://commits.kde.org/plasma-workspace/1fe565e5dae31e57d81556b07e7459be14c5d834 5.2 branch: http://commits.kde.org/plasma-workspace/e1036973552a8964dffcbca0743eb1accc14bc56 5.3 branch: http://commits.kde.org/plasma-workspace/de6e19fd8c30166bdbc1333dcd5ef2278f570fa2 5.4 branch: http://commits.kde.org/plasma-workspace/23a9ed7ba9995570227dbcd69c23f009de7dde49 For kscreenlocker upgrade to Plasma 5.5.5 (after 1 March 2016) or apply the following patch: http://commits.kde.org/kscreenlocker/fae65f1cdd6446042b31ccd0eafd7a4c0b6623e3 References ========== https://bugs.kde.org/show_bug.cgi?id=358125 https://bugzilla.opensuse.org/show_bug.cgi?id=964548 Credits ======= Thanks to Dirk Weber for finding the issue, the openSUSE community for helping investigating and Martin Gräßlin for fixing the issue.
All versions in the tree are fixed.
(In reply to Michael Palimaka (kensington) from comment #1) > All versions in the tree are fixed. Thanks :) No stable version, setting noglsa. CVE request at http://www.openwall.com/lists/oss-security/2016/02/09/4 . Bug can be closed once that is added