xscreensaver and gqview (security flaw?)
Hello,
I have noticed something strange, and potentially bad about
who these programs interact.
Anyway, to reproduce:
1. start gqview from a xterm (actually, I used a gnome-terminal).
2. view image in full screen (using Ctrl + F).
3. wait for screen saver to activate, and turn off the screen using
APM (not sure if using APM is important or not).
4. come to computer, push any key. screen turns on but remains
blank. In fact, nothing I push comes up with the password prompt. I
can get the prompt by moving the mouse, but cannot type in the
password.
5. push escape. I believe this closes of the full screen display in
gqview. The fact I can close this program, is, I believe a security
hole in itself.
6. now type in the password normally, and log in normally.
7. in the xterm, below the call to gqview, my password appears:
~ >gqview .
[password]
this has got me really puzzled, as:
a) I only typed my password in once (to xscreensaver), and it worked
first go (two programs reading the same keystrokes???).
b) there is no reason why focus should jump to the gnome-terminal. My
desktop is cluttered with other windows. My window manager
(enlightment) is setup to focus on the window with the mouse cursor,
and at the time, I would presume that only the xscreensaver could have
focus, as it is in front.
I believe step 4 may be significant, but don't know in what way. I do
not fully understand how gqview displays a full screen window. However
I think this is an important feature of gqview all the same.
My system is a fully up-to-date potato system (at least as of two days
ago).
--
Brian May <bam@debian.org>
Reply to: