Date: Wed, 14 Jun 2006 01:40:27 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Andrew Pantyukhin <infofarmer@gmail.com> Cc: FreeBSD Ports <ports@freebsd.org>, Doug Barton <dougb@freebsd.org>, Anish Mistry <amistry@am-productions.biz>, UMENO Takashi <umeno@rr.iij4u.or.jp>, Tobias Roth <ports@fsck.ch> Subject: Re: xlockmore - serious security issue Message-ID: <20060613234027.GC1074@zaphod.nitro.dk> In-Reply-To: <cb5206420606130751s65808df2rb39b2ebb163757c4@mail.gmail.com> References: <cb5206420606130418x706ccd61t5840bd2b0c00f61b@mail.gmail.com> <20060613113151.GC8105@heechee.tobez.org> <cb5206420606130454i2c4fac71m53c7b2d81839e7dd@mail.gmail.com> <200606131037.58401.amistry@am-productions.biz> <cb5206420606130751s65808df2rb39b2ebb163757c4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--qtZFehHsKgwS5rPz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote: > On 6/13/06, Anish Mistry <amistry@am-productions.biz> wrote: > >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote: > >> On 6/13/06, Anton Berezin <tobez@tobez.org> wrote: > >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin wrote: > >> > > The problem is that xlockmore exits all by itself when > >> > > left alone for a couple of days. It works all right overnight, > >> > > but when left for the weekend, it almost certainly fails. I > >> > > just come to work and see that my workstation is unlocked, > >> > > what a surprise. [...] > >I just stick with a blank screen and works fine for several weeks at a > >time. I found some of the GL screensavers to cause problems. >=20 > Ask me - we should mark this port forbidden and/or make > and entry in vuxml until we resolve this issue. Let's make > blank screen the default behavior or something. To leave > this as is is unacceptable. FORBIDDEN and a VuXML entry seems in a way a bit overkill to me seems a bit overkill to me, since it's not really a vulnerability, but I'm open to input. As mentioned by others, xlockmore is fundamentally flawed wrt. guaranteeing that the screen stays locked in that the screensavers code can kill the lock, which it should not be able to happen. Has anyone contacted the xlockmore author for comment on this issue? One thing we could do right now is to add a message at install time warning that xlockmore might unlock the screen (a bit like the Pine warning). --=20 Simon L. Nielsen --qtZFehHsKgwS5rPz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEj0zrh9pcDSc1mlERAuDIAJ44o2c110t/+esua58tZNq7lfqFbwCcD/9+ mHPMlr1XERtGImZqsGDOR/U= =t4ot -----END PGP SIGNATURE----- --qtZFehHsKgwS5rPz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060613234027.GC1074>