Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 05 Apr 2012 23:09:44 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: slock-0.9 displays modal box after
 locking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/05/2012 11:08 PM, Kurt Seifried wrote:
> From: https://bugs.gentoo.org/show_bug.cgi?id=401645
> 
> Longpoke 2012-01-31 15:21:57 UTC
> 
> If any program makes a modal dialog box while the screen is 
> black/controls locked with slock, and then some buttons are pressed
> on the keyboard, the screen is unblackened, and everything is
> visible on the desktop you locked on.
> 
> Steps to reproduce: 1. sleep 3; pcmanfm 2. slock 3. press some
> buttons 4. now black screen will go away and you can see the
> current active desktop
> 
> This is a critical vulnerability. I recommend blocking this
> package.
> 
> I'm running xmonad on amd64.
> 
> Longpoke 2012-02-01 03:41:11 UTC
> 
> You need to run the other program *concurrently*. I'll try and make
> the reproduction steps clearer:
> 
> 1. run sleep <n>; <X-program> 2. lock the screen as fast as you
> can 3. make sure <n> seconds has passed, so that you know
> <X-program> has started 4. press some keys (any keys (doesn't have
> to be your actual password), don't hit enter)
> 
> Now the black screen will go away and you can see the current
> active desktop along with <X-program>.
> 
> Where <X-program> is the name of some X program that will create a 
> window and leave it open when executed, i.e: pcmanfm.
> 

Please use CVE-2012-1620 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPfnqUAAoJEBYNRVNeJnmTiEMQAJStn/Ktgye5PLtEjHY49hEA
NPyb/WNT2g6525ftHPZiB9CsiEgBwA1CUDYDfNHeOgwAYdo3QPbrzern5gUr61UE
a/KEEwrj7QSzdlHrkqThdKJ+wK20Y0n9HTvXysaywr392w0Xze1mxEKvkzFzwrMj
XFMfJRB6eVkJcOvVFnwVmV3tjU+/lfAcObwKcgEVCxtkcb7r+ZWAtB/ud+lRx3es
g+huYxo+l43pJNAtjlSe2scOKdcCsKcdEzqJgQI3+qItz2RBh+JNL7t/gCWKjFMC
yf/RxKoih0SsQkBEY0aLW92j4NJmOefR4531hlvQYl6pVI3We054xIQL2clOXn1p
ltOVUCs9MkcACN7my1ao/K7KwvFLrXCN9mPkpGG7CxtISGi6rAL6E/7ktMppAsOw
wG+r9UqgdXLoLHqkcJswPlXVhvtxF8UVNvm5CcS045MV0uEaOb0CkNvRT1+VP/Ff
1//QB50sy4BnEB0+CXCWn7TBFpwEjyfjhj2LO+M4pUjUbksQOVLSh7GTuBJNSqW6
3qd4vB3eXNLiblKH+a9Dto4jG1ebYR/kjSmlu93QlNrxYy6WuM52vu4GBVpIN2fw
3hTlnLmZAqplA4EkeO21lpcT9eg+NZD2wuNGKoF6vXorpfOOr8P03bo4q6ZEIg8P
96RClX6ZEu59zvNd1gro
=ek/y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.