Date: Thu, 05 Apr 2012 23:08:50 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE Request: slock-0.9 displays modal box after locking From: https://bugs.gentoo.org/show_bug.cgi?id=401645 Longpoke 2012-01-31 15:21:57 UTC If any program makes a modal dialog box while the screen is black/controls locked with slock, and then some buttons are pressed on the keyboard, the screen is unblackened, and everything is visible on the desktop you locked on. Steps to reproduce: 1. sleep 3; pcmanfm 2. slock 3. press some buttons 4. now black screen will go away and you can see the current active desktop This is a critical vulnerability. I recommend blocking this package. I'm running xmonad on amd64. Longpoke 2012-02-01 03:41:11 UTC You need to run the other program *concurrently*. I'll try and make the reproduction steps clearer: 1. run sleep <n>; <X-program> 2. lock the screen as fast as you can 3. make sure <n> seconds has passed, so that you know <X-program> has started 4. press some keys (any keys (doesn't have to be your actual password), don't hit enter) Now the black screen will go away and you can see the current active desktop along with <X-program>. Where <X-program> is the name of some X program that will create a window and leave it open when executed, i.e: pcmanfm. -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.