Bug#416824: klaptopdaemon: lock & hibernate allowing unauthorised access email@example.com
On Fri, Mar 30, 2007 at 03:39:02PM +0100, Sheridan Hutchinson wrote:
> Package: klaptopdaemon
> Version: 4:3.5.5-3
> Severity: grave
> Tags: security
> Justification: user security hole
> Hi, I'm using Etch RC2 and I use klaptopdaemon to lock and hibernate my
> laptop when I noticed an interesting little bug. I access lock and
> hibernate by right-clicking on the system tray icon and clicking on the
> option there.
> Depending on the load on the system, klaptopdaemon appears to be
> allowing somone unhibernating a locked & hibernated system, brief access
> to the desktop.
> The first time that I noticed this I was able to start accessing a
> previously opened terminal and got 'ls -la' into the terminal, and to
> get the directory listing, before the screenlock was brought up.
> I have tried to replicate this and catch it on my phone camera, although
> I have been unable to replicate the system load of the first time I
> caught it. However, I attach move00064.3gp which is video of me
> trying to replicate this, and you can see that just after coming out of
> hibernate and once the X scree is brough back up, you can see a flash of
> my desktop. When I first noticed this bug, I believe my system was
> under considerable load and I was able to interfere with the desktop at
> my leisure, until the screenlock was brought up.
> As a recollection, Windows NT 3.xx had a bug like this in the distant
> past, and that knowlege brought me to notice this flaw.
> I will do further experiments with system load and other factors to see
> if I can get access to desktop for a prolonged period of time again. If
> I was able to get up a terminal, and it was root logged on, presumably I
> could kill off the process that would launch the screenlock before it
> had a chance and have my wicked way with the desktop?
I have uploaded packages with a new patch from Raul at:
deb http://people.debian.org/~ana/kdeutils/ ./
Test it please!