On Fri, Mar 30, 2007 at 03:39:02PM +0100, Sheridan Hutchinson wrote:
Package: klaptopdaemon
Version: 4:3.5.5-3
Severity: grave
Tags: security
Justification: user security hole
Hi, I'm using Etch RC2 and I use klaptopdaemon to lock and hibernate my
laptop when I noticed an interesting little bug. I access lock and
hibernate by right-clicking on the system tray icon and clicking on the
option there.
Depending on the load on the system, klaptopdaemon appears to be
allowing somone unhibernating a locked hibernated system, brief access
to the desktop.
The first time that I noticed this I was able to start accessing a
previously opened terminal and got 'ls -la' into the terminal, and to
get the directory listing, before the screenlock was brought up.
I have tried to replicate this and catch it on my phone camera, although
I have been unable to replicate the system load of the first time I
caught it. However, I attach move00064.3gp which is video of me
trying to replicate this, and you can see that just after coming out of
hibernate and once the X scree is brough back up, you can see a flash of
my desktop. When I first noticed this bug, I believe my system was
under considerable load and I was able to interfere with the desktop at
my leisure, until the screenlock was brought up.
As a recollection, Windows NT 3.xx had a bug like this in the distant
past, and that knowlege brought me to notice this flaw.
I will do further experiments with system load and other factors to see
if I can get access to desktop for a prolonged period of time again. If
I was able to get up a terminal, and it was root logged on, presumably I
could kill off the process that would launch the screenlock before it
had a chance and have my wicked way with the desktop?
...
I have uploaded packages with a new patch from Raul at:
deb http://people.debian.org/~ana/kdeutils/ ./
Test it please!
Ana
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]