On Fri, Mar 30, 2007 at 03:39:02PM +0100, Sheridan Hutchinson wrote: > Package: klaptopdaemon > Version: 4:3.5.5-3 > Severity: grave > Tags: security > Justification: user security hole > > Hi, I'm using Etch RC2 and I use klaptopdaemon to lock and hibernate my > laptop when I noticed an interesting little bug. I access lock and > hibernate by right-clicking on the system tray icon and clicking on the > option there. > > Depending on the load on the system, klaptopdaemon appears to be > allowing somone unhibernating a locked & hibernated system, brief access > to the desktop. > > The first time that I noticed this I was able to start accessing a > previously opened terminal and got 'ls -la' into the terminal, and to > get the directory listing, before the screenlock was brought up. > > I have tried to replicate this and catch it on my phone camera, although > I have been unable to replicate the system load of the first time I > caught it. However, I attach move00064.3gp which is video of me > trying to replicate this, and you can see that just after coming out of > hibernate and once the X scree is brough back up, you can see a flash of > my desktop. When I first noticed this bug, I believe my system was > under considerable load and I was able to interfere with the desktop at > my leisure, until the screenlock was brought up. > > As a recollection, Windows NT 3.xx had a bug like this in the distant > past, and that knowlege brought me to notice this flaw. > > I will do further experiments with system load and other factors to see > if I can get access to desktop for a prolonged period of time again. If > I was able to get up a terminal, and it was root logged on, presumably I > could kill off the process that would launch the screenlock before it > had a chance and have my wicked way with the desktop? >
... I have uploaded packages with a new patch from Raul at: deb http://people.debian.org/~ana/kdeutils/ ./ Test it please! Ana -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
