Bug#987360: swaylock: Occassional unlock without password entered
X-Debbugs-CC: pe...@riseup.net Pelle writes: >>I cannot answer for Pelle, but I was also experiencing this bug back >>when it was reported. FWIW: I'm unable to reproduce it with 1.6-1. That >>being said, triggering the bug does seem somewhat stochastic, so I can't >>rule out that a bunch more suspend/resume cycles would trigger it. But >>so far, so good! > > Same here, no crashes recently, yay, Great! > however, I think that this crash bug illustrates the more general > issue that the lock screen is bypassed on any crash. Swaylock should > be able to restart itself on failure, perhaps with a daemon. There > could be more vulnerabilities of this class, right? I believe > XScreensaver has a strategy for mitigating these types of vulns too. Indeed. I believe this is what Jonas was referring to when he linked to https://github.com/swaywm/sway/pull/6879 (it is about Sway supporting an extension to the Wayland protocol for performing this kind of locking reliably). This is of course the right way forward, but for now, I think we at least should downgrade the severity of this bug and let swaylock re-enter testing. Best, Gard signature.asc Description: PGP signature
Bug#987360: swaylock: Occassional unlock without password entered
I cannot answer for Pelle, but I was also experiencing this bug back when it was reported. FWIW: I'm unable to reproduce it with 1.6-1. That being said, triggering the bug does seem somewhat stochastic, so I can't rule out that a bunch more suspend/resume cycles would trigger it. But so far, so good! Same here, no crashes recently, yay, however, I think that this crash bug illustrates the more general issue that the lock screen is bypassed on any crash. Swaylock should be able to restart itself on failure, perhaps with a daemon. There could be more vulnerabilities of this class, right? I believe XScreensaver has a strategy for mitigating these types of vulns too. Thank you so much for your work. I wish I knew C and could help, but now I can only complain and hope someone else fixes it. I could probably write a daemon in shell script though if such a patch would be accepted, although there are probably more elegant solutions to this in the swaylock code itself.
Bug#987360: swaylock: Occassional unlock without password entered
X-Debbugs-CC: d...@jones.dk,pe...@riseup.net Hi all. Jonas Smedegaard writes: > Hi Pelle, > > You reported this issue for swaylock 1.5-2. > > Do you still experience same isue with swaylock 1.6-1 now in Debian > unstable? I cannot answer for Pelle, but I was also experiencing this bug back when it was reported. FWIW: I'm unable to reproduce it with 1.6-1. That being said, triggering the bug does seem somewhat stochastic, so I can't rule out that a bunch more suspend/resume cycles would trigger it. But so far, so good! > Perhaps sensible to lower severity of this issue, to allow more exposure > to it in Debian testing - and then hopefully close it for good soon, > when work on ext-session-lock-v1 is finalized: > https://github.com/swaywm/sway/pull/6879 I agree; I think we can lower the severity and let swaylock back into testing, and just raise the severity back up if anyone is able to reproduce on 1.6-1. Best, Gard signature.asc Description: PGP signature
Bug#987360: swaylock: Occassional unlock without password entered
X-Debbugs-Cc: pe...@riseup.net Hi Pelle, You reported this issue for swaylock 1.5-2. Do you still experience same isue with swaylock 1.6-1 now in Debian unstable? Perhaps sensible to lower severity of this issue, to allow more exposure to it in Debian testing - and then hopefully close it for good soon, when work on ext-session-lock-v1 is finalized: https://github.com/swaywm/sway/pull/6879 Also, please note that you have been kindly requested to also share a stack trace: https://bugs.debian.org/987360#25 Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#987360: swaylock: Occassional unlock without password entered
On Thu, May 20, 2021 at 09:59:54PM +0930, Andrew Savchenko wrote: > Pelle, It might not have reached him, the Debian bug tracker defaults to not sending a copy to the submitter. > Would you be able to add a stack trace? > Here, or directly with the upstream: > https://github.com/swaywm/swaylock/issues/181 I'll answer there with a stacktrace based on the coredump. > Thanks. cu Adrian
Bug#987360: swaylock: Occassional unlock without password entered
Pelle, Would you be able to add a stack trace? Here, or directly with the upstream: https://github.com/swaywm/swaylock/issues/181 Thanks.
Bug#987360: swaylock: Occassional unlock without password entered
* Pelle [210423 15:45]: > [..], but then freeze for about half a minute > and then just disappear and thereby allow access to Sway without the password > being entered. Sounds like it crashes? Please install swaylock-dbgsym and see if you can get a coredump. Chris
Bug#987360: swaylock: Occassional unlock without password entered
Package: swaylock Version: 1.5-2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team Dear Maintainer, I'm running Sway and use Swaylock to lock the screen when the laptop is asleep. Sometimes when resuming from sleep, Swaylock will respond to the first keypress of the password and display a spinner, but then freeze for about half a minute and then just disappear and thereby allow access to Sway without the password being entered. I am not yet sure of the exact conditions that cause this issue but it's happened >10 times so far on my system. -- System Information: Debian Release: 11.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages swaylock depends on: ii libc6 2.31-11 ii libcairo2 1.16.0-5 ii libgdk-pixbuf2.0-0 2.40.2-2 ii libglib2.0-02.66.8-1 ii libpam0g1.4.0-7 ii libwayland-client0 1.19.0-2 ii libxkbcommon0 1.0.3-2 swaylock recommends no packages. swaylock suggests no packages.