Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 05 Apr 2012 23:09:44 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: slock-0.9 displays modal box after
 locking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/05/2012 11:08 PM, Kurt Seifried wrote:
> From: https://bugs.gentoo.org/show_bug.cgi?id=401645
> 
> Longpoke 2012-01-31 15:21:57 UTC
> 
> If any program makes a modal dialog box while the screen is 
> black/controls locked with slock, and then some buttons are pressed
> on the keyboard, the screen is unblackened, and everything is
> visible on the desktop you locked on.
> 
> Steps to reproduce: 1. sleep 3; pcmanfm 2. slock 3. press some
> buttons 4. now black screen will go away and you can see the
> current active desktop
> 
> This is a critical vulnerability. I recommend blocking this
> package.
> 
> I'm running xmonad on amd64.
> 
> Longpoke 2012-02-01 03:41:11 UTC
> 
> You need to run the other program *concurrently*. I'll try and make
> the reproduction steps clearer:
> 
> 1. run sleep <n>; <X-program> 2. lock the screen as fast as you
> can 3. make sure <n> seconds has passed, so that you know
> <X-program> has started 4. press some keys (any keys (doesn't have
> to be your actual password), don't hit enter)
> 
> Now the black screen will go away and you can see the current
> active desktop along with <X-program>.
> 
> Where <X-program> is the name of some X program that will create a 
> window and leave it open when executed, i.e: pcmanfm.
> 

Please use CVE-2012-1620 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPfnqUAAoJEBYNRVNeJnmTiEMQAJStn/Ktgye5PLtEjHY49hEA
NPyb/WNT2g6525ftHPZiB9CsiEgBwA1CUDYDfNHeOgwAYdo3QPbrzern5gUr61UE
a/KEEwrj7QSzdlHrkqThdKJ+wK20Y0n9HTvXysaywr392w0Xze1mxEKvkzFzwrMj
XFMfJRB6eVkJcOvVFnwVmV3tjU+/lfAcObwKcgEVCxtkcb7r+ZWAtB/ud+lRx3es
g+huYxo+l43pJNAtjlSe2scOKdcCsKcdEzqJgQI3+qItz2RBh+JNL7t/gCWKjFMC
yf/RxKoih0SsQkBEY0aLW92j4NJmOefR4531hlvQYl6pVI3We054xIQL2clOXn1p
ltOVUCs9MkcACN7my1ao/K7KwvFLrXCN9mPkpGG7CxtISGi6rAL6E/7ktMppAsOw
wG+r9UqgdXLoLHqkcJswPlXVhvtxF8UVNvm5CcS045MV0uEaOb0CkNvRT1+VP/Ff
1//QB50sy4BnEB0+CXCWn7TBFpwEjyfjhj2LO+M4pUjUbksQOVLSh7GTuBJNSqW6
3qd4vB3eXNLiblKH+a9Dto4jG1ebYR/kjSmlu93QlNrxYy6WuM52vu4GBVpIN2fw
3hTlnLmZAqplA4EkeO21lpcT9eg+NZD2wuNGKoF6vXorpfOOr8P03bo4q6ZEIg8P
96RClX6ZEu59zvNd1gro
=ek/y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ