Bug#729848: kscreensaver: Unlock-session window keeps a typed but forgotten password forever
Package: kscreensaver
Version: 4:4.10.5-1
Severity: normal
Dear Maintainer,
It seeems to me that the unlock-session window keeps
a typed but forgotten (i.e. not entered with ENTER)
password forever, if I'm right this is a security breach
cheers
Steps to Reproduce:
1. lock a KDE session
(or wait enough idle time if automatic lock is on).
(I have also a screen saver enabled, but this should be irrelevant)
2. write the user-password in the unlock form, but DO NOT click ENTER
(e.g. because something distracted you);
3. wait some time (e.g. exit the room to take a coffee)
3. come back to the unlock and the password is still typed in the form
(you see the black dots), an ENTER is enough to enter the session.
(Security breach: somebody evil arrives and just clicking
ENTER enters your account ...)
Expected Results:
The password form of the unlock-session window
must be cleared after, say,
1 minute from when the last character is entered.
(That was the behavior say one year ago.)
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages kscreensaver depends on:
ii kde-runtime 4:4.10.5-1
ii kde-workspace-bin 4:4.10.5-3
ii libc6 2.17-92+b1
ii libgl1-mesa-glx [libgl1] 9.1.6-2
ii libglu1-mesa [libglu1] 9.0.0-1
ii libkdecore5 4:4.10.5-1
ii libkdeui5 4:4.10.5-1
ii libkexiv2-11 4:4.10.5-1
ii libkio5 4:4.10.5-1
ii libkparts4 4:4.10.5-1
ii libkscreensaver5 4:4.10.5-3
ii libqt4-opengl 4:4.8.5+dfsg-3
ii libqtcore4 4:4.8.5+dfsg-3
ii libqtgui4 4:4.8.5+dfsg-3
ii libstdc++6 4.8.1-2
ii libx11-6 2:1.6.1-1
Versions of packages kscreensaver recommends:
ii kde-window-manager 4:4.10.5-3
ii kscreensaver-xsavers 4:4.10.5-1
kscreensaver suggests no packages.
-- no debconf information
Reply to: