From owner-freebsd-ports@FreeBSD.ORG Tue Jun 13 23:40:29 2006 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE6C716A481; Tue, 13 Jun 2006 23:40:29 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65FC143D45; Tue, 13 Jun 2006 23:40:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.18]) by mx.nitro.dk (Postfix) with ESMTP id EECE02D484B; Tue, 13 Jun 2006 23:40:27 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id DA4BF11420; Wed, 14 Jun 2006 01:40:27 +0200 (CEST) Date: Wed, 14 Jun 2006 01:40:27 +0200 From: "Simon L. Nielsen" To: Andrew Pantyukhin Message-ID: <20060613234027.GC1074@zaphod.nitro.dk> References: <20060613113151.GC8105@heechee.tobez.org> <200606131037.58401.amistry@am-productions.biz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qtZFehHsKgwS5rPz" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: FreeBSD Ports , Doug Barton , Anish Mistry , UMENO Takashi , Tobias Roth Subject: Re: xlockmore - serious security issue X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 23:40:30 -0000 --qtZFehHsKgwS5rPz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote: > On 6/13/06, Anish Mistry wrote: > >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote: > >> On 6/13/06, Anton Berezin wrote: > >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin wrote: > >> > > The problem is that xlockmore exits all by itself when > >> > > left alone for a couple of days. It works all right overnight, > >> > > but when left for the weekend, it almost certainly fails. I > >> > > just come to work and see that my workstation is unlocked, > >> > > what a surprise. [...] > >I just stick with a blank screen and works fine for several weeks at a > >time. I found some of the GL screensavers to cause problems. >=20 > Ask me - we should mark this port forbidden and/or make > and entry in vuxml until we resolve this issue. Let's make > blank screen the default behavior or something. To leave > this as is is unacceptable. FORBIDDEN and a VuXML entry seems in a way a bit overkill to me seems a bit overkill to me, since it's not really a vulnerability, but I'm open to input. As mentioned by others, xlockmore is fundamentally flawed wrt. guaranteeing that the screen stays locked in that the screensavers code can kill the lock, which it should not be able to happen. Has anyone contacted the xlockmore author for comment on this issue? One thing we could do right now is to add a message at install time warning that xlockmore might unlock the screen (a bit like the Pine warning). --=20 Simon L. Nielsen --qtZFehHsKgwS5rPz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEj0zrh9pcDSc1mlERAuDIAJ44o2c110t/+esua58tZNq7lfqFbwCcD/9+ mHPMlr1XERtGImZqsGDOR/U= =t4ot -----END PGP SIGNATURE----- --qtZFehHsKgwS5rPz--