Package: libkscreenlocker5 Version: 5.20.5-1 Severity: critical Tags: patch upstream Justification: breaks the whole system
Dear Maintainer, * What led up to the situation? A variation of upstream bug report https://bugs.kde.org/show_bug.cgi?id=438099 pam-configuration with auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok try_first_pass auth requisite pam_deny.so and pressing "enter" to unlock the screen without entering a password. * What was the outcome of this action? Endless loop of kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: entry kcheckpass[74114]: pam_krb5(kde:auth): (user XXXX) error getting password: Conversation error kcheckpass[74114]: pam_krb5(kde:auth): authentication failure; logname=XXXX uid=XXXX euid=XXXX tty=:1 ruser= rhost= kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: exit (failure) kcheckpass[74114]: pam_unix(kde:auth): conversation failed kcheckpass[74114]: pam_unix(kde:auth): auth could not identify password for [XXXX] (here more than 250 times / second) till next unlock attempt with a password. Flooding /var/log/auth.log and central authentication services. (Thus an unintentional "enter" on a locked screen can result in at least completely filled disks.) * What outcome did you expect instead? Authentication failure. Please include the short patch https://invent.kde.org/plasma/kscreenlocker/-/commit/fca315cf72826f93eda7a026016b33818b9d1f39 to kscreenlocker-5.20.5 in bullseye. The critical part has been completely rewritten in kscreenlocker-5.27.2 (testing) and the problem probably doesn't apply there. Best regards, Andreas Poenicke BTW: Hotfix: Separate /etc/pam.d/kde configuration with "use_first_pass" instead of "try_first_pass", like auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so use_first_pass auth requisite pam_deny.so Which should be ok for kscreenlocker in most cases. -- System Information: Debian Release: 11.7 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-22-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:de Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libkscreenlocker5 depends on: ii kpackagetool5 5.78.0-3 ii libc6 2.31-13+deb11u6 ii libkf5configcore5 5.78.0-4 ii libkf5configgui5 5.78.0-4 ii libkf5coreaddons5 5.78.0-4 ii libkf5crash5 5.78.0-3 ii libkf5declarative5 5.78.0-2 ii libkf5globalaccel-bin 5.78.0-3 ii libkf5globalaccel5 5.78.0-3 ii libkf5i18n5 5.78.0-2 ii libkf5idletime5 5.78.0-2 ii libkf5notifications5 5.78.0-2 ii libkf5package5 5.78.0-3 ii libkf5quickaddons5 5.78.0-2 ii libkf5waylandclient5 4:5.78.0-2 ii libkf5waylandserver5 4:5.78.0-2 ii libkf5windowsystem5 5.78.0-2 ii libkf5xmlgui5 5.78.0-2 ii libpam0g 1.4.0-9+deb11u1 ii libqt5core5a 5.15.2+dfsg-9 ii libqt5dbus5 5.15.2+dfsg-9 ii libqt5gui5 5.15.2+dfsg-9 ii libqt5network5 5.15.2+dfsg-9 ii libqt5qml5 5.15.2+dfsg-6 ii libqt5quick5 5.15.2+dfsg-6 ii libqt5widgets5 5.15.2+dfsg-9 ii libqt5x11extras5 5.15.2-2 ii libstdc++6 10.2.1-6 ii libwayland-client0 1.18.0-2~exp1.1 ii libwayland-server0 1.18.0-2~exp1.1 ii libx11-6 2:1.7.2-1 ii libxcb-keysyms1 0.4.0-1+b2 ii libxcb1 1.14-3 ii libxi6 2:1.7.10-1 ii psmisc 23.4-2 Versions of packages libkscreenlocker5 recommends: ii kde-config-screenlocker 5.20.5-1 libkscreenlocker5 suggests no packages. -- no debconf information -- Karlsruher Institut für Technologie Institut für Theoretische Festkörperphysik Institut für Theorie der Kondensierten Materie Dr. Andreas Poenicke Wolfgang-Gaede-Str. 1, Gebäude 30.23, D-76128 Karlsruhe Telefon: +49-721-608-43365 Fax: +49-721-608-47040 E-Mail: andreas.poeni...@kit.edu WWW: www.tfp.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft