Re: segfault in xscreensaver, screen revealed

To: 693087@bugs.debian.org
Cc: Ian Zimmerman <itz@buug.org>, ftpmasters@debian.org, debian-release@lists.debian.org, team@security.debian.org
Subject: Re: segfault in xscreensaver, screen revealed
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 15 Nov 2012 07:48:42 +0100
Message-id: <[🔎] 1352962122.17241.85.camel@scapa>
In-reply-to: <1352840201.17241.73.camel@scapa>
References: <1091379336.30913031.1352805715655.JavaMail.root@redhat.com> <87fw4dmo8t.fsf@foolinux.dyndns.org> <1352840201.17241.73.camel@scapa>

Control: clone -1 -2 -3
Control: reassign -2 ftpmasters
Control: retitle -2 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous
Control: reassign -3 release.debian.org
Control: retitle -3 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous
Control: user release.debian.org@packages.debian.org
Control: usertag -3 rm

On mar., 2012-11-13 at 21:56 +0100, Yves-Alexis Perez wrote:
> On mar., 2012-11-13 at 09:00 -0800, Ian Zimmerman wrote:
> > Jan> Is it possible to reproduce that xscreensaver crash also without
> > Jan> libpam-rsa module being used? (when using pam-unix login
> > Jan> alternative with the same scenario)
> > 
> > No, it doesn't happen with pam-unix.  This had been kicked around the
> > debian security team for a couple of days before this bug was posted.
> > You may want to contact them to coordinate your response.
> > 
> Yes, we were made aware of the issue. 
> 
> Seeing the gravity of the bug, the number of people using it, the time
> of last (upstream) release and the number of NMU, we're considering just
> removing it from Debian altogether, unless you have a decisive argument
> to keep it (and fix the bug quickly).
> 

Doing this now (hoping the Control: syntax will work).

ftpmasters, release team: the security team is requesting the removal of
the pam-rsa package because we were made aware of the above (#693087)
bug: in some situations, pam_rsa module will cause a segfault in
xscreensaver, leaving the screen unlocked.

Package seeems to be mostly abandonned upstream (last release in 2007,
called a “beta release” and no answer from the bug address on the
upstream webpage) and, although the Debian maintainer seems around,
there were only NMUs since 2007.

In our opinion, considering the low pam-rsa usage (and even questionning
the real benefit of the package) it'd be just best to remove it
altogether.

Thus, we'd like the removal from at least testing and unstable. For
stable, I'm a bit unsure about how we're supposed to handle a package
disparition in stable, so I'm available for discussion (although we
don't think it's really supportable in the current state).

Thanks in advance,
-- 
Yves-Alexis, for the security team

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: segfault in xscreensaver, screen revealed
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#693360: segfault in xscreensaver, screen revealed
  - From: Niko Tyni <ntyni@debian.org>

Prev by Date: Processed: Re: Bug#693275: RM: util-vserver/0.30.216-pre2864-2.1
Next by Date: Re: Pre-approval request for t-p-u upload of weechat/0.3.8-2wheezy1
Previous by thread: Processed: Re: Bug#693275: RM: util-vserver/0.30.216-pre2864-2.1
Next by thread: Re: segfault in xscreensaver, screen revealed
Index(es):
- Date
- Thread