Bug#416824: klaptopdaemon: lock & hibernate allowing unauthorised access

To: Sheridan Hutchinson <Sheridan@Shezza.org>, 416824@bugs.debian.org
Cc: debian-kde@lists.debian.org
Subject: Bug#416824: klaptopdaemon: lock & hibernate allowing unauthorised access
From: Ana Guerrero <ana@debian.org>
Date: Mon, 2 Apr 2007 16:48:04 +0100
Message-id: <[🔎] 20070402154804.GA17524@pryan.sytes.net>
Reply-to: Ana Guerrero <ana@debian.org>, 416824@bugs.debian.org
In-reply-to: <20070330143902.2713.42851.reportbug@localhost>
References: <20070330143902.2713.42851.reportbug@localhost>

Hi KDE users,

anyone has experiment something like this:

On Fri, Mar 30, 2007 at 03:39:02PM +0100, Sheridan Hutchinson wrote:
> Package: klaptopdaemon
> Version: 4:3.5.5-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi, I'm using Etch RC2 and I use klaptopdaemon to lock and hibernate my
> laptop when I noticed an interesting little bug.  I access lock and
> hibernate by right-clicking on the system tray icon and clicking on the
> option there.
> 
> Depending on the load on the system, klaptopdaemon appears to be
> allowing somone unhibernating a locked & hibernated system, brief access
> to the desktop.
> 
> The first time that I noticed this I was able to start accessing a
> previously opened terminal and got 'ls -la' into the terminal, and to
> get the directory listing, before the screenlock was brought up.
> 
> I have tried to replicate this and catch it on my phone camera, although
> I have been unable to replicate the system load of the first time I
> caught it.  However, I attach move00064.3gp which is video of me
> trying to replicate this, and you can see that just after coming out of
> hibernate and once the X scree is brough back up, you can see a flash of
> my desktop.  When I first noticed this bug, I believe my system was
> under considerable load and I was able to interfere with the desktop at
> my leisure, until the screenlock was brought up.
> 
> As a recollection, Windows NT 3.xx had a bug like this in the distant
> past, and that knowlege brought me to notice this flaw.
> 
> I will do further experiments with system load and other factors to see
> if I can get access to desktop for a prolonged period of time again.  If
> I was able to get up a terminal, and it was root logged on, presumably I
> could kill off the process that would launch the screenlock before it
> had a chance and have my wicked way with the desktop?
> 
> FYI I'm using an IBM Thinkpad X40.
> 
> I hope this helps!
> 
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> 
> Versions of packages klaptopdaemon depends on:
> ii  kdelibs4c2a            4:3.5.5a.dfsg.1-6 core libraries and binaries for al
> ii  libc6                  2.3.6.ds1-13      GNU C Library: Shared libraries
> ii  libgcc1                1:4.1.1-21        GCC support library
> ii  libqt3-mt              3:3.3.7-3         Qt GUI Library (Threaded runtime v
> ii  libstdc++6             4.1.1-21          The GNU Standard C++ Library v3
> ii  libxtst6               1:1.0.1-5         X11 Testing -- Resource extension 
> 
> klaptopdaemon recommends no packages.
> 
> -- no debconf information


You can read the full bug report (and download the video) from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416824

Thanks,
Ana

Reply to:

Follow-Ups:
- Bug#416824: klaptopdaemon: lock & hibernate allowing unauthorised access
  - From: Sune Vuorela <debian@pusling.com>

Prev by Date: Processed: tagging 416824
Next by Date: Processed: reopening 330284
Previous by thread: Processed: tagging 416824
Next by thread: Bug#416824: klaptopdaemon: lock & hibernate allowing unauthorised access
Index(es):
- Date
- Thread