LightDM - Feb 2017 - LightDM locking security bug

Hi all,

I'm not sure if this is actually a bug or a misconfiguration on my system,
but I have discovered a major security vulnerability in screen locking
(dm-tool lock), and I would like some advice on how to proceed with it. I
didn't see a bug tracker or anything on the website and do not want to send
out what could be major security bug to a public mailing list.

My system is Debian testing and I use Xmonad as my WM.

Thank you very much!
Alexis Hunt
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/lightdm/attachments/20170205/c1200c2c/attachment.html>

On Sun, 2017-02-05 at 06:00 +0000, Alexis Hunt wrote:
> I'm not sure if this is actually a bug or a misconfiguration on my
system,
> but I have discovered a major security vulnerability in screen locking
> (dm-tool lock), and I would like some advice on how to proceed with it. I
> didn't see a bug tracker or anything on the website and do not want to
send
> out what could be major security bug to a public mailing list.
> 
> My system is Debian testing and I use Xmonad as my WM.
You can either report privately to the Debian security team (team at
security.deb
ian.org) or open a launchpad bug and tag it security (so it will be private).

Note that dm-tool lock won't actually lock anything but (as indicated in the
manpage) switch to a greeter with a hint that the screen is locked. If you
don't have something doing the actual lock (like light-locker) then nothing
will happen.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL:
<https://lists.freedesktop.org/archives/lightdm/attachments/20170206/d7fa5028/attachment.sig>