On Wed, Aug 20, 2008 at 10:13:25AM -0500, Troy Davis wrote: > Package: screen > Version: 4.0.3-11 > Severity: grave > Tags: security > Justification: user security hole
> Screen has started accepting any password at all at the locked screen prompt > on my testing box. I do not know when exactly this behavior started; I just > noticed it today. A different box running etch works as expected, i.e. only > unlocking when the user's system password is entered. > I have tested this with multiple users on the lenny box. Searching the > Debian screen bug reports and the screen-users mailing list turns up > nothing. The only thing I can guess right now is that it might have > something to do with new pam packages in testing. User error is always a > possibility, too. ;-) I've had a look to see if this is reproducible here, and it is. Poking around in the logs, I see: Aug 20 10:13:51 borges kernel: [336995.492721] screen[16067]: segfault at 0 ip 7f69c4ff90fa sp 7fffcfcbcc50 error 4 in pam_unix.so[7f69c4fef000+c000] So it looks like the auth process is segfaulting, resulting in the unlocking of the screen. Will continue investigating. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
