* Marty Jack <[email protected]> [2010-08-02 21:39]: > Sounds like something should definitely be done. > > If you read the xscreensaver site, he claims that xscreensaver is the most > secure, because it uses X directly and doesn't depend on a higher level > toolkit which, though prettier, might have a deep bug that causes the > screensaver to abort and unlock the screen. But I think it would be > acceptable to have the command be a configuration option as long as you > document the security tradeoffs. > > I believe SUSE was on the point of raising a CVE for this (and Andrea put in > a change and then later reverted it) which if true would be something that > would be a showstopper.
Yes, CVE-2010-2532. We are using a patch which checks whether gnome-screensaver or xscreensaver is running or xlockmore is available in order to lock the screen, see https://bugzillafiles.novell.org/attachment.cgi?id=376583 AFAIK Andrea had applied this to lxsession git, but then reverted it due to complaints. -- Guido Berhoerster ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Lxde-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxde-list
