[From nobody Tue Apr 7 08:03:35 2026 Received: (at submit) by bugs.debian.org; 9 May 2010 21:14:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on busoni.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 6; hammy, 151; neutral, 211; spammy, 0. spammytokens: hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug, 0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--libdbus-1-3 X-Spam-Status: No, score=-15.9 required=4.0 tests=BAYES_00,FOURLA, FROMDEVELOPER,HAS_PACKAGE,IMPRONONCABLE_2,XMAILER_REPORTBUG,X_DEBBUGS_CC autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Return-path: <sonne@debian.org> Received: from nn7.de ([85.214.94.156]) by busoni.debian.org with esmtp (Exim 4.69) (envelope-from <sonne@debian.org>) id 1OBDpV-0002uA-Sw for submit@bugs.debian.org; Sun, 09 May 2010 21:14:30 +0000 Received: (qmail 9873 invoked from network); 9 May 2010 23:14:25 +0200 Received: from unknown (HELO no.nn7.de) (127.0.0.1) by localhost with SMTP; 9 May 2010 23:14:25 +0200 Received: (nullmailer pid 15600 invoked by uid 1000); Sun, 09 May 2010 21:14:25 -0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Soeren Sonnenburg <sonne@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: a locked gnome-screensaver can be circumvented by inserting a pluggable media Reply-To: Soeren Sonnenburg <sonne@debian.org> Message-ID: <20100509211425.13328.59410.reportbug@localhost.localdomain> X-Mailer: reportbug 4.12.1 Date: Sun, 09 May 2010 23:14:25 +0200 X-Debbugs-Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org> Delivered-To: submit@bugs.debian.org Package: gnome-screensaver Version: 2.30.0-1 Severity: grave Tags: security when I plug in a usb stick the login window is put in the background and I see the desktop and can interact with it. so to reproduce: 1) lock screen 2) insert usb stick and wait until it is mounted 3) voila! -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.11-sonne (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnome-screensaver depends on: ii dbus-x11 1.2.24-1 simple interprocess messaging syst ii gconf2 2.28.1-3 GNOME configuration database syste ii gnome-icon-theme 2.30.2.1-1 GNOME Desktop icon theme ii gnome-session 2.30.0-1 The GNOME Session Manager - GNOME ii libc6 2.10.2-7 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra ii libdbus-1-3 1.2.24-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.86-1 simple interprocess messaging syst ii libgconf2-4 2.28.1-3 GNOME configuration database syste ii libgl1-mesa-glx [libgl1] 7.7.1-1 A free implementation of the OpenG ii libglib2.0-0 2.24.1-1 The GLib library of C routines ii libgnome-desktop-2-17 2.30.0-2 Utility library for loading .deskt ii libgnome-menu2 2.30.0-1 an implementation of the freedeskt ii libgnomekbd4 2.30.1-2 GNOME library to manage keyboard c ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface ii libnotify1 [libnotify1-gtk2.1 0.4.5-1 sends desktop notifications to a n ii libpam0g 1.1.1-3 Pluggable Authentication Modules l ii libpango1.0-0 1.28.0-1 Layout and rendering of internatio ii libx11-6 2:1.3.3-3 X11 client-side library ii libxext6 2:1.1.1-3 X11 miscellaneous extension librar ii libxklavier16 5.0-2 X Keyboard Extension high-level AP ii libxxf86vm1 1:1.1.0-2 X11 XFree86 video mode extension l Versions of packages gnome-screensaver recommends: ii gnome-power-manager 2.30.1-1 power management tool for the GNOM ii libpam-gnome-keyring 2.30.1-2 PAM module to unlock the GNOME key ii rss-glx 0.9.1-2 Really Slick Screensavers GLX Port Versions of packages gnome-screensaver suggests: ii xscreensaver-data 5.10-7 data files to be shared among scre -- no debconf information ]