Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 05 Apr 2012 23:08:50 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE Request: slock-0.9 displays modal box after locking

From: https://bugs.gentoo.org/show_bug.cgi?id=401645

Longpoke 2012-01-31 15:21:57 UTC

If any program makes a modal dialog box while the screen is
black/controls locked with slock, and then some buttons are pressed on
the keyboard, the screen is unblackened, and everything is visible on
the desktop you locked on.

Steps to reproduce:
1. sleep 3; pcmanfm
2. slock
3. press some buttons
4. now black screen will go away and you can see the current active desktop

This is a critical vulnerability. I recommend blocking this package.

I'm running xmonad on amd64.

Longpoke 2012-02-01 03:41:11 UTC

You need to run the other program *concurrently*. I'll try and make the
reproduction steps clearer:

1. run sleep <n>; <X-program>
2. lock the screen as fast as you can
3. make sure <n> seconds has passed, so that you know <X-program> has
started
4. press some keys (any keys (doesn't have to be your actual password),
don't hit enter)

Now the black screen will go away and you can see the current active
desktop along with <X-program>.

Where <X-program> is the name of some X program that will create a
window and leave it open when executed, i.e: pcmanfm.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.