[Secure-testing-team] Bug#495806: Locked screen accepts any password to unlock
Troy Davis
troydavis at gmail.com
Wed Aug 20 15:13:25 UTC 2008
Package: screen
Version: 4.0.3-11
Severity: grave
Tags: security
Justification: user security hole
Hello,
Screen has started accepting any password at all at the locked screen prompt
on my testing box. I do not know when exactly this behavior started; I just
noticed it today. A different box running etch works as expected, i.e. only
unlocking when the user's system password is entered.
I have tested this with multiple users on the lenny box. Searching the
Debian screen bug reports and the screen-users mailing list turns up
nothing. The only thing I can guess right now is that it might have
something to do with new pam packages in testing. User error is always a
possibility, too. ;-)
Thank you,
Troy Davis
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages screen depends on:
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libncursesw5 5.6+20080713-1 shared libraries for terminal hand
ii libpam0g 1.0.1-2 Pluggable Authentication Modules l
screen recommends no packages.
screen suggests no packages.
-- debconf information:
screen/old_upgrade_prompt: false
More information about the Secure-testing-team
mailing list