Bug#510851: [kdesktop] kdesktop_lock can be unlocked by scim
reassign 510851 scim-qtimm 0.9.4-2 thanks Hello, pirmadienis 05 Sausis 2009, Resul Cetin rašė: Only workaround seems to disable scim and stop to write in a foreign language with complex characters... which is not acceptable. Since it is the crash and backtraces in the upstream bug report suggest that it happens in libscim, I'm reassigning. What is more, it works well without scim, do not blame kdesktop that is does not work in non-standard configuration. -- Modestas Vainius modes...@vainius.eu signature.asc Description: This is a digitally signed message part.
Bug#510851: [kdesktop] kdesktop_lock can be unlocked by scim
Package: kdesktop Version: 4:3.5.9.dfsg.1-6 Severity: grave Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org It is possible to unlock kdesktop_lock on systems with configured scim without entering a password. This makes it possible to access data of other users or access random locked PCs (best place to start such an attack would be in some asian countries). The system was configure as described in http://ubuntuforums.org/showthread.php?p=2704098 but with japanese tables. You must be sure that scim is enabled (for example by pressing ctrl+space and entering some test data. Then start kdesktop_lock manually by calling `kdesktop_lock --forcelock` and move your mouse/press some key to start the password dialog. Just press cancel and move your mouse or press something on you keyboard again. This should crash kdesktop_lock and enable access to the desktop. It was tested on different systems and it could reproduced on all. This problem is also known by upstream but marked it as invalid because kdesktop isn't maintained anymore (instead they thing everybody should use kde 4 stuff). http://bugs.kde.org/show_bug.cgi?id=149512 Only workaround seems to disable scim and stop to write in a foreign language with complex characters... which is not acceptable. --- System information. --- Architecture: i386 Kernel: Linux 2.6.26-1 Debian Release: 5.0 500 unstableftp.de.debian.org 500 testing debian.netcologne.de --- Package information. --- Depends(Version) | Installed -+-= kdelibs4c2a (= 4:3.5.9) | 4:3.5.10.dfsg.1-1 libc6 (= 2.7-1) | 2.7-16 libgcc1 (= 1:4.1.1) | 1:4.3.2-1.1 libgl1-mesa-glx | 7.2-1 OR libgl1 | libglu1-mesa | 7.0.3-7 OR libglu1 | libkonq4(= 4:3.5.9) | 4:3.5.9.dfsg.1-6 libqt3-mt (= 3:3.3.8b) | 3:3.3.8b-5 libstdc++6(= 4.1.1) | 4.3.2-1.1 libx11-6 | 2:1.1.5-2 libxau6 | 1:1.0.3-3 libxcursor1 ( 1.1.2) | 1:1.1.9-1 libxext6 | 2:1.0.4-1 libxss1 | 1:1.1.3-1 libxxf86misc1| 1:1.0.1-3 kdebase-bin (= 4:3.5.9.dfsg.1-6) | 4:3.5.9.dfsg.1-6 kdeeject | 4:3.5.9.dfsg.1-6 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
