Bug#740163: lxsession: lxlock/dm-tool lock is easily circumvented
This seems to have been fixed upstream last November (by not using dm-tool for locking anymore): https://github.com/lxde/lxsession/commit/9dfe4035a6b555452046db7d4e430507d7c0e469 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#740163: lxsession: lxlock/dm-tool lock is easily circumvented
On Wed, Feb 26, 2014 at 02:39:49PM +0100, Marcin Szewczyk wrote: Package: lxsession Version: 0.4.9.2-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, as described in bug #735854, locking doesn't work. It's a serious problem because after invoking lxlock the screen switches to VT8 with a login prompt and it looks like it locked the screen. The reality is the session stays unlocked and you can return to it with Ctrl-Alt-F7. Speaking here with my Xfce and lightdm maintainer hat: yes, dm-tool lock is *not* safe to be used currently. I've reported that on upstream mailing list [1,2], but right now there's no way to be actually sure a locker is running when calling the lock command of dm-tool. See also [3]. So right now, I really think dm-tool lock should *not* be used as a locking mechanism, despite its name, unless you're 100% sure a locker is running and will actually lock upon receiving a signal (light-locker is known to do that). In the end, it might have to be fixed at the consolekit/logind level. [1]: http://lists.freedesktop.org/archives/lightdm/2013-July/000399.html [2]: http://lists.freedesktop.org/archives/lightdm/2014-January/000494.html [3]: https://bugs.launchpad.net/lightdm/+bug/1060228 Regards, -- Yves-Alexis Perez signature.asc Description: Digital signature
Bug#740163: lxsession: lxlock/dm-tool lock is easily circumvented
Package: lxsession Version: 0.4.9.2-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, as described in bug #735854, locking doesn't work. It's a serious problem because after invoking lxlock the screen switches to VT8 with a login prompt and it looks like it locked the screen. The reality is the session stays unlocked and you can return to it with Ctrl-Alt-F7. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lxsession depends on: ii libatk1.0-02.10.0-2 ii libc6 2.17-97 ii libcairo2 1.12.16-2 ii libdbus-1-31.8.0-1 ii libdbus-glib-1-2 0.102-1 ii libfontconfig1 2.11.0-2 ii libfreetype6 2.5.2-1 ii libgdk-pixbuf2.0-0 2.28.2-1+b1 ii libgee20.6.8-1 ii libglib2.0-0 2.38.2-5 ii libgtk2.0-02.24.22-1 ii libpango-1.0-0 1.36.0-1+b1 ii libpangocairo-1.0-01.36.0-1+b1 ii libpangoft2-1.0-0 1.36.0-1+b1 ii libpolkit-agent-1-00.105-4 ii libpolkit-gobject-1-0 0.105-4 ii libx11-6 2:1.6.2-1 Versions of packages lxsession recommends: ii consolekit 0.4.6-3+b1 ii lxde-common 0.5.5-6 ii openbox [x-window-manager] 3.5.2-6 ii openssh-client [ssh-client] 1:6.5p1-4 ii upower 0.9.23-2+b1 Versions of packages lxsession suggests: ii gpicview 0.2.4-1 ii lxpanel 0.5.12-3 ii pcmanfm 1.1.2-1 -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
