Thanks for your replies. I talked to Markus privately, and it seems this
issue was fixed in April (I was running a release version, not HEAD, my bad).
The vulnerability was pretty limited anyway. It basically involves:
- Lock the screen
- Send EDID modelines with a higher res than at the time of lock
- Wait for the display to be resized
- Part of the screen underneath slock is now visible
I assume that, even before this patch, doing something meaningful with this
would likely require physical access to the machine, so it doesn't seem very
worrying.
Sorry for the noise. :-)
