Package: lxdm
Version: 0.5.3-1
Severity: critical
Hi,
if I ssh (no -X) to a box running lxdm and try to run DISPLAY=:0 xeyes
I get an error because I don't have the rights to the display.
Now, if I log directly into lxdm on that box, then logout, and retry the
ssh then DISPLAY=:0 xeyes from remote, that works : the eyes appear on
the lxdm login screen!
Restarting lxdm fixes the issue.
I chose severity critical, because that means if you work remotely and
run commands, you can get windows to open on the remote box and display
important things to anybody -- a clear security issue. In fact, I
discovered that issue by trying to sign Debian packages and not getting
my curses window : gnupg was opening an X window in lxdm on the remote host!
I hope that helps,
Snark on #debian-science
