Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
Package: kscreensaver
Version: 4:4.8.4-5
Justification: causes serious data loss
Severity: critical
Tags: security
Dear Maintainer,
after activating tree (kde-)sessions on vt7,vt8 and vt9, one of the
sessions does not need having a password entered at the login widget, still,
it
lets you in. Which session is affected is not clear, seems to be random.
Not sure, but it I think even root sessions could be started this way.
Thanks
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages kscreensaver depends on:
ii kde-runtime 4:4.11.3-1
ii kde-workspace-bin 4:4.11.3-2
ii libc6 2.17-97
ii libgl1-mesa-glx [libgl1] 9.1.3-6
ii libglu1-mesa [libglu1] 9.0.0-2
ii libkdecore5 4:4.11.3-2
ii libkdeui5 4:4.11.3-2
ii libkexiv2-10 4:4.8.4-1
ii libkio5 4:4.11.3-2
ii libkparts4 4:4.11.3-2
ii libkscreensaver5 4:4.11.3-2
ii libqt4-opengl 4:4.8.4+dfsg-4
ii libqtcore4 4:4.8.4+dfsg-4
ii libqtgui4 4:4.8.4+dfsg-4
ii libstdc++6 4.8.2-10
ii libx11-6 2:1.6.2-1
Versions of packages kscreensaver recommends:
ii kde-window-manager 4:4.11.3-2
ii kscreensaver-xsavers 4:4.8.4-5
kscreensaver suggests no packages.
-- no debconf information
Reply to: