Announcement

Collapse
No announcement yet.

An Easy But Serious Screensaver Security Problem In X.Org

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • An Easy But Serious Screensaver Security Problem In X.Org

    Phoronix: An Easy But Serious Screensaver Security Problem In X.Org

    I've been alerted this afternoon that there's an outstanding security vulnerability within the current X.Org Server that's receiving little attention. This active vulnerability could allow anyone with physical access to your system to easily bypass the desktop's screen lock regardless of your desktop environment...

    http://www.phoronix.com/vr.php?view=MTA0NTA

  • #2
    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.

    Comment


    • #3
      Hang on, so unless I'm missing something all you have to do is press CTRL+ALT+Keypad-Multiply? I assume Keypad-Multiply is the button directly above the number 9 on my keypad? well I just tried those three button combinations and it did nothing, I'm running Linux Mint Debian Edition.

      Comment


      • #4
        definitely a show-stopper

        Comment


        • #5
          Not cool for multi-user systems!

          Comment


          • #6
            RHEL 6.x is running X.Org Server 1.10.4, so fortunately it isn't vulnerable. RHEL is one of the most likely Linux desktop OSes to be deployed in a public area such as a computer lab at a university, where you really wouldn't want someone to be able to do this.

            That said, I'm sure there is some public computer somewhere in the world where physical access of untrusted users is common/accepted, running X.Org 1.11 or later. Now people know to check before they trust the "lock screen" feature. Good find, Michael (even though you didn't originally find the issue, good job reporting it anyway).

            Comment


            • #7
              List of affected distros :
              http://distrowatch.com/search.php?pk...11.*#pkgsearch

              Ubuntu 12.04 here which is not affected (running xorg 1.10.4)

              Comment


              • #8
                Pathetic. How can that slip by a whole bunch of developers who supposedly know what they're doing?
                Get back on the ship, dammit!

                Comment


                • #9
                  Originally posted by gururise View Post
                  Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
                  Me too. In GNOME 3, it brings me back to the desktop, but kills the top activites panel.

                  Comment


                  • #10
                    This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers

                    Comment


                    • #11
                      Yup, it works in Fedora 16!

                      Comment


                      • #12
                        Originally posted by gururise View Post
                        Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
                        It's already fixed btw.
                        https://bugs.archlinux.org/index.php...&task_id=27993

                        Comment


                        • #13
                          Originally posted by Kano View Post
                          This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers
                          The bigger issue is having a browser open logged into somewhere. A reboot will not get you there, this will.

                          Comment


                          • #14
                            Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.

                            Comment


                            • #15
                              Again, having root on a system you may be able to cause less damage than with a logged in browser.

                              Comment

                              Working...
                              X