Bug#729848: kscreensaver: Unlock-session window keeps a typed but forgotten password forever

Mon, 18 Nov 2013 01:54:49 -0800 

Package: kscreensaver
Version: 4:4.10.5-1
Severity: normal

Dear Maintainer,

It seeems to me that the unlock-session window keeps
a typed but forgotten (i.e. not entered with ENTER)
password forever, if I'm right this is a security breach
cheers

Steps to Reproduce: 
1. lock a KDE session
(or wait enough idle time if automatic lock is on).
(I have also a screen saver enabled, but this should be irrelevant)
2. write the user-password in the unlock form, but DO NOT click ENTER
(e.g. because something distracted you); 
3. wait some time (e.g. exit the room to take a coffee)
3. come back to the unlock and the password is still typed in the form
(you see the black dots), an ENTER is enough to enter the session.
(Security breach: somebody evil arrives and just clicking
ENTER enters your account ...)

Expected Results:
The password form of the unlock-session window
must be cleared after, say,
1 minute from when the last character is entered.
(That was the behavior say one year ago.)

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kscreensaver depends on:
ii  kde-runtime               4:4.10.5-1
ii  kde-workspace-bin         4:4.10.5-3
ii  libc6                     2.17-92+b1
ii  libgl1-mesa-glx [libgl1]  9.1.6-2
ii  libglu1-mesa [libglu1]    9.0.0-1
ii  libkdecore5               4:4.10.5-1
ii  libkdeui5                 4:4.10.5-1
ii  libkexiv2-11              4:4.10.5-1
ii  libkio5                   4:4.10.5-1
ii  libkparts4                4:4.10.5-1
ii  libkscreensaver5          4:4.10.5-3
ii  libqt4-opengl             4:4.8.5+dfsg-3
ii  libqtcore4                4:4.8.5+dfsg-3
ii  libqtgui4                 4:4.8.5+dfsg-3
ii  libstdc++6                4.8.1-2
ii  libx11-6                  2:1.6.1-1

Versions of packages kscreensaver recommends:
ii  kde-window-manager    4:4.10.5-3
ii  kscreensaver-xsavers  4:4.10.5-1

kscreensaver suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20131118095520.3938.65101.report...@ipht-ia-004976.cea.fr

Reply via email to