xlockmore - serious security issue
Simon L. Nielsen
simon at FreeBSD.org
Tue Jun 13 23:40:30 UTC 2006
On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote:
> On 6/13/06, Anish Mistry <amistry at am-productions.biz> wrote:
> >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote:
> >> On 6/13/06, Anton Berezin <tobez at tobez.org> wrote:
> >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin wrote:
> >> > > The problem is that xlockmore exits all by itself when
> >> > > left alone for a couple of days. It works all right overnight,
> >> > > but when left for the weekend, it almost certainly fails. I
> >> > > just come to work and see that my workstation is unlocked,
> >> > > what a surprise.
[...]
> >I just stick with a blank screen and works fine for several weeks at a
> >time. I found some of the GL screensavers to cause problems.
>
> Ask me - we should mark this port forbidden and/or make
> and entry in vuxml until we resolve this issue. Let's make
> blank screen the default behavior or something. To leave
> this as is is unacceptable.
FORBIDDEN and a VuXML entry seems in a way a bit overkill to me seems
a bit overkill to me, since it's not really a vulnerability, but I'm
open to input.
As mentioned by others, xlockmore is fundamentally flawed
wrt. guaranteeing that the screen stays locked in that the
screensavers code can kill the lock, which it should not be able to
happen.
Has anyone contacted the xlockmore author for comment on this issue?
One thing we could do right now is to add a message at install time
warning that xlockmore might unlock the screen (a bit like the Pine
warning).
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20060613/f007e601/attachment.pgp
More information about the freebsd-ports
mailing list