Bug#580370: kdebase-bin: When suspending (S3 & S4) screen locking can be avoided in a specific circumstance
Package: kdebase-bin
Version: 4:4.4.3-1
Severity: important
This is a security bug.
KDE4 has made great efforts to enforce screen locking when a machine is put in to suspend (S3) or hibernate (S4) modes.
After reviewing KDE 4.4, which recently arrived in sid, I have discovered that there is only one remaining way of avoiding screen locking preferences.
To reliably reproduce:
1.) Click on the 'K'
2.) Hover the mouse cursor over 'Leave'
3.) Click shutdown
4.) A new dialog will appear. Hold and press the left mouse-button on the text 'Turn off your computer' and select either suspend to RAM or suspend to disk (whichever your poison).
5.) Your machine will suspend as commanded.
6.) Resume your machine, to find any previously set screen locking preferences are evaded.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages kdebase-bin depends on:
ii kdebase-data 4:4.4.3-1 shared data files for the KDE 4 ba
ii kdebase-runtime 4:4.4.3-1 runtime components from the offici
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libkdecore5 4:4.4.3-1 the KDE Platform Core Library
ii libkdeui5 4:4.4.3-1 the KDE Platform User Interface Li
ii libkfile4 4:4.4.3-1 the File Selection Dialog Library
ii libkhtml5 4:4.4.3-1 the KHTML Web Content Rendering En
ii libkio5 4:4.4.3-1 the Network-enabled File Managemen
ii libkparts4 4:4.4.3-1 the Framework for the KDE Platform
ii libqt4-dbus 4:4.6.2-4 Qt 4 D-Bus module
ii libqt4-xml 4:4.6.2-4 Qt 4 XML module
ii libqtcore4 4:4.6.2-4 Qt 4 core module
ii libqtgui4 4:4.6.2-4 Qt 4 GUI module
ii libstdc++6 4.4.4-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-3 X11 client-side library
kdebase-bin recommends no packages.
kdebase-bin suggests no packages.
-- no debconf information
Reply to: