thr3ads.net - Secure testing team - [Secure-testing-team] Bug#580923: a locked gnome-screensaver can be circumvented by inserting a pluggable media [May 2010]

If this information is useful, please help other people find it:
Share via:

Soeren Sonnenburg

2010-May-09 21:14 UTC

[Secure-testing-team] Bug#580923: a locked gnome-screensaver can be circumvented by inserting a pluggable media

Package: gnome-screensaver
Version: 2.30.0-1
Severity: grave
Tags: security

when I plug in a usb stick the login window is put in the background and 
I see the desktop and can interact with it.

so to reproduce:

1) lock screen
2) insert usb stick and wait until it is mounted
3) voila!

-- System Information:
Debian Release: squeeze/sid
  APT prefers stable
  APT policy: (700, ''stable''), (650,
''testing''), (600, ''unstable''), (500,
''oldstable''), (1, ''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.11-sonne (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnome-screensaver depends on:
ii  dbus-x11                      1.2.24-1   simple interprocess messaging syst
ii  gconf2                        2.28.1-3   GNOME configuration database syste
ii  gnome-icon-theme              2.30.2.1-1 GNOME Desktop icon theme
ii  gnome-session                 2.30.0-1   The GNOME Session Manager - GNOME 
ii  libc6                         2.10.2-7   Embedded GNU C Library: Shared lib
ii  libcairo2                     1.8.10-4   The Cairo 2D vector graphics libra
ii  libdbus-1-3                   1.2.24-1   simple interprocess messaging syst
ii  libdbus-glib-1-2              0.86-1     simple interprocess messaging syst
ii  libgconf2-4                   2.28.1-3   GNOME configuration database syste
ii  libgl1-mesa-glx [libgl1]      7.7.1-1    A free implementation of the OpenG
ii  libglib2.0-0                  2.24.1-1   The GLib library of C routines
ii  libgnome-desktop-2-17         2.30.0-2   Utility library for loading .deskt
ii  libgnome-menu2                2.30.0-1   an implementation of the freedeskt
ii  libgnomekbd4                  2.30.1-2   GNOME library to manage keyboard c
ii  libgtk2.0-0                   2.20.1-1   The GTK+ graphical user interface 
ii  libnotify1 [libnotify1-gtk2.1 0.4.5-1    sends desktop notifications to a n
ii  libpam0g                      1.1.1-3    Pluggable Authentication Modules l
ii  libpango1.0-0                 1.28.0-1   Layout and rendering of internatio
ii  libx11-6                      2:1.3.3-3  X11 client-side library
ii  libxext6                      2:1.1.1-3  X11 miscellaneous extension librar
ii  libxklavier16                 5.0-2      X Keyboard Extension high-level AP
ii  libxxf86vm1                   1:1.1.0-2  X11 XFree86 video mode extension l

Versions of packages gnome-screensaver recommends:
ii  gnome-power-manager           2.30.1-1   power management tool for the GNOM
ii  libpam-gnome-keyring          2.30.1-2   PAM module to unlock the GNOME key
ii  rss-glx                       0.9.1-2    Really Slick Screensavers GLX Port

Versions of packages gnome-screensaver suggests:
ii  xscreensaver-data             5.10-7     data files to be shared among scre

-- no debconf information

Secure testing team - May 2010 - Bug#580923: a locked gnome-screensaver can be circumvented by inserting a pluggable media

[Secure-testing-team] Bug#580923: a locked gnome-screensaver can be circumvented by inserting a pluggable media