Package: xscreensaver Version: 4.24-5 Severity: grave Tags: security Justification: user security hole
I do have set up xscreensaver so that it locks the screen after a certain timeout. This is a handy security feature which is the main reason for using the screensaver. However today the screen was not locked and so my data exposed, initially I had no idea what the problem was. The problem was a missing network cable which made xscreensaver log the following line: xscreensaver: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server xscreensaver does not need to contact the user database by default for locking the screen - xscreensaver already knowns its own uid and gid. I see that it could be necessary to check the username when xscreensaver has been started as root, and of course it needs to confirm the password when unlocking. But it can lock the screen when running with user priviledges. I tag this bug "grave" because everyone with local access could pull the network cable and thus compromise every machine. This attack is much more subtle than pressing keys on the keyboard: You do not be in front of the computer, you can cut the connection anywhere between the client and the NIS or LDAP server. -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i586) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-486 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Versions of packages xscreensaver depends on: ii libatk1.0-0 1.12.3-1 The ATK accessibility toolkit ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libcairo2 1.2.4-4 The Cairo 2D vector graphics libra ii libfontconfig1 2.4.1-2 generic font configuration library ii libglade2-0 1:2.6.0-2 library to load .glade files at ru ii libglib2.0-0 2.12.4-2 The GLib library of C routines ii libgtk2.0-0 2.8.20-3 The GTK+ graphical user interface ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libpango1.0-0 1.14.8-2 Layout and rendering of internatio ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-4 X11 client-side library ii libxcursor1 1.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.1-5 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.1-4 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxml2 2.6.27.dfsg-1 GNOME XML library ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library ii libxpm4 1:3.5.5-2 X11 pixmap library ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii libxxf86misc1 1:1.0.1-2 X11 XFree86 miscellaneous extensio ii libxxf86vm1 1:1.0.1-2 X11 XFree86 video mode extension l Versions of packages xscreensaver recommends: ii libjpeg-progs 6b-13 Programs for manipulating JPEG fil ii perl [perl5] 5.8.8-6.1 Larry Wall's Practical Extraction ii wamerican [wordlist] 6-2 American English dictionary words ii wogerman [wordlist] 2-23 The old German dictionary for /usr pn xli | xloadimage <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
