Now-Closed KDE Vulnerabilities Remind Us X11 Screen Locks / Screensavers Are Insecure
Written by Michael Larabel in KDE on 27 January 2015 at 09:00 AM EST. 21 Comments
KDE --
In addition to KDE Plasma 5.2 bringing many new features with today's release, it also addresses some security vulnerabilities concerning KDE's screen locker. Of course, to any longtime Phoronix readers following our frequent X11/X.Org coverage, this hardly comes as a surprise.

X11 is insecure. X11 doesn't have the concept of a screen-locker, frequently is affected by large number of security vulnerabilities dating back many years, etc. Security researchers even say X.Org's security is worse than it looks. Back in 2012 an X.Org Server bug showed just how easy it is to break the screensavers and any screen lock that may be employed by the system.

The newest example of an X11 screen lock issue is with Martin Gräßlin finding, exploiting, and fixing two vulnerabilities within the modern KDE screen lock. There was one issue with the QtQuick UI used for the screen lock and the second issue was about the usage of X11 by the screen locker.

Those interested in the details of the latest X11 screen locking woes on KDE can read Martin's blog post. He also whipped up a fake KDE screen lock in about one hour to demonstrate how lock screens on X11 are just like any other client and cannot be trusted.

At least when Wayland finally takes over, the security situation improves and allows the screen locking mechanism to be part of the compositor rather than just another client.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week