Bug#311683: xscreensaver: web collage screensaver makes debian "default install" of kde show porn

To: joss@debian.org
Cc: 311683@bugs.debian.org
Subject: Bug#311683: xscreensaver: web collage screensaver makes debian "default install" of kde show porn
From: "R. Armiento" <reply-debian-05@armiento.net>
Date: Fri, 03 Jun 2005 13:02:24 +0200
Message-id: <[🔎] 42A038C0.10408@armiento.net>
Reply-to: "R. Armiento" <reply-debian-05@armiento.net>, 311683@bugs.debian.org
In-reply-to: <1117738807.4775.4.camel@mirchusko.localnet>
References: <E1DduIq-00054g-00@spohr.debian.org> <1117738807.4775.4.camel@mirchusko.localnet>

A friend made me aware that for Fedora there are a number of submissions
of this problem. I just link them here as reference:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139513
(with duplicate bugs: 139777, 149803, 140684)

Given the outcry and negative stories there, perhaps the severity of this
bug needs to marked as critical? I'd hate to see someone fired or sued
for installing the new official sarge release...

>>While 'web collage' is a truly original screensaver based on a fun idea,
>>the thing is, there are workplace environments where this could potentially 
>>get people fired or sued. [...]
> 
> That's exactly why webcollage is disabled in the default xscreensaver
> setup.

And by 'disabled' I suppose you mean that the default setting of xscreensaver
randomizer does not pick WebCollage. Is that really enough?. I'm not trying
to be a moralist here; but is it really sensible to distribute a porn
screensaver among the default set? You may argue that the main idea of
WebCollage is not to show porn, but in reality, something like 1 out of 10
images it pulls is pornographic; so this likely is how it will appear to
ordinary users.

Also, a user playing around in the xscreensaver/'Gnome screensaver config' will
trigger the preview of WebCollage before it is possible to read the explicit
warnings in the settings dialog. The possibility of unintentional triggering
of sexually explicit content in the preview box on the screen while configuring
screensavers is still bad. This issue may not be as grave as "porn by default
in kde", but people working for a company that supervise network usage could
still potentially get fired for the actions of the WebCollage preview.

Perhaps this less grave problem with xscreensaver configuration and WebCollage
should be refiled as a 'minor' or 'wishlist' bug against xscreensaver. However,
fixing the minor issue with xscreensaver would also fix the grave side of the
issue involving kde's random screensaver.

>>Also, just as a side note: another reason to avoid 'web collage' to
>>be activated unintentionally is that it is a significantly higher
>>security risk than any of the other screensavers, in that it might
>>pull an image from the web that exploits a buffer overflow in
>>the picture library.
> 
> Actually this shouldn't be a problem, as a hack crashing doesn't make
> the server crash.

This argument assumes that the worst thing that can happen is the screensaver
process crashing. However, an image constructed with malicious intent could let
an attacker take over the WebCollage process, and ultimately give full access
to the users account.

//Rickard

Reply to:

Follow-Ups:
- Bug#311683: xscreensaver: web collage screensaver makes debian "default install" of kde show porn
  - From: Josselin Mouette <joss@debian.org>

Prev by Date: kdepim-wizards package is missing several files
Next by Date: Bug#311683: xscreensaver: web collage screensaver makes debian "default install" of kde show porn
Previous by thread: Re: kdepim-wizards package is missing several files
Next by thread: Bug#311683: xscreensaver: web collage screensaver makes debian "default install" of kde show porn
Index(es):
- Date
- Thread