Announcement

Collapse
No announcement yet.

An Easy But Serious Screensaver Security Problem In X.Org

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • curaga
    replied
    Again, having root on a system you may be able to cause less damage than with a logged in browser.

    Leave a comment:


  • Kano
    replied
    Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.

    Leave a comment:


  • curaga
    replied
    Originally posted by Kano View Post
    This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers
    The bigger issue is having a browser open logged into somewhere. A reboot will not get you there, this will.

    Leave a comment:


  • ChrisXY
    replied
    Originally posted by gururise View Post
    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
    It's already fixed btw.
    https://bugs.archlinux.org/index.php...&task_id=27993

    Leave a comment:


  • blueskynis
    replied
    Yup, it works in Fedora 16!

    Leave a comment:


  • Kano
    replied
    This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers

    Leave a comment:


  • Zeroedout
    replied
    Originally posted by gururise View Post
    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
    Me too. In GNOME 3, it brings me back to the desktop, but kills the top activites panel.

    Leave a comment:


  • not.sure
    replied
    Pathetic. How can that slip by a whole bunch of developers who supposedly know what they're doing?
    Get back on the ship, dammit!

    Leave a comment:


  • lithorus
    replied
    List of affected distros :
    http://distrowatch.com/search.php?pk...11.*#pkgsearch

    Ubuntu 12.04 here which is not affected (running xorg 1.10.4)

    Leave a comment:


  • allquixotic
    replied
    RHEL 6.x is running X.Org Server 1.10.4, so fortunately it isn't vulnerable. RHEL is one of the most likely Linux desktop OSes to be deployed in a public area such as a computer lab at a university, where you really wouldn't want someone to be able to do this.

    That said, I'm sure there is some public computer somewhere in the world where physical access of untrusted users is common/accepted, running X.Org 1.11 or later. Now people know to check before they trust the "lock screen" feature. Good find, Michael (even though you didn't originally find the issue, good job reporting it anyway).

    Leave a comment:

Working...
X