[Secure-testing-team] Bug#740163: lxsession: lxlock/dm-tool lock is easily circumvented
Marcin Szewczyk
debian.bugreport at wodny.org
Wed Feb 26 13:39:49 UTC 2014
Package: lxsession
Version: 0.4.9.2-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
as described in bug #735854, locking doesn't work. It's a serious problem
because after invoking lxlock the screen switches to VT8 with a login prompt
and it looks like it locked the screen. The reality is the session stays
unlocked and you can return to it with Ctrl-Alt-F7.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lxsession depends on:
ii libatk1.0-0 2.10.0-2
ii libc6 2.17-97
ii libcairo2 1.12.16-2
ii libdbus-1-3 1.8.0-1
ii libdbus-glib-1-2 0.102-1
ii libfontconfig1 2.11.0-2
ii libfreetype6 2.5.2-1
ii libgdk-pixbuf2.0-0 2.28.2-1+b1
ii libgee2 0.6.8-1
ii libglib2.0-0 2.38.2-5
ii libgtk2.0-0 2.24.22-1
ii libpango-1.0-0 1.36.0-1+b1
ii libpangocairo-1.0-0 1.36.0-1+b1
ii libpangoft2-1.0-0 1.36.0-1+b1
ii libpolkit-agent-1-0 0.105-4
ii libpolkit-gobject-1-0 0.105-4
ii libx11-6 2:1.6.2-1
Versions of packages lxsession recommends:
ii consolekit 0.4.6-3+b1
ii lxde-common 0.5.5-6
ii openbox [x-window-manager] 3.5.2-6
ii openssh-client [ssh-client] 1:6.5p1-4
ii upower 0.9.23-2+b1
Versions of packages lxsession suggests:
ii gpicview 0.2.4-1
ii lxpanel 0.5.12-3
ii pcmanfm 1.1.2-1
-- debconf-show failed
More information about the Secure-testing-team
mailing list