Secure testing team - Aug 2008 - Bug#495806: Locked screen accepts any password to unlock

Package: screen
Version: 4.0.3-11
Severity: grave
Tags: security
Justification: user security hole

Hello,

Screen has started accepting any password at all at the locked screen prompt
on my testing box.  I do not know when exactly this behavior started; I just
noticed it today.  A different box running etch works as expected, i.e. only
unlocking when the user''s system password is entered.

I have tested this with multiple users on the lenny box.  Searching the
Debian screen bug reports and the screen-users mailing list turns up
nothing.  The only thing I can guess right now is that it might have
something to do with new pam packages in testing.  User error is always a
possibility, too.  ;-)

Thank you,
Troy Davis

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, ''testing'')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages screen depends on:
ii  libc6                     2.7-13         GNU C Library: Shared libraries
ii  libncursesw5              5.6+20080713-1 shared libraries for terminal hand
ii  libpam0g                  1.0.1-2        Pluggable Authentication Modules l

screen recommends no packages.

screen suggests no packages.

-- debconf information:
  screen/old_upgrade_prompt: false