Secure testing team - May 2011 - Bug#627397: xscreensaver: crashes when locking the screen

Package: xscreensaver
Version: 5.13-1
Severity: grave
Tags: security
Justification: user security hole

hi,

since a few days, xscreensaver crashes upon locking via
xscreensaver-command -lock

that actually creates a security problem because if you send your
notebook to sleep (suspend to ram) via closing it, you won''t notice
until you start it again, but in effekt the account was basically open
to everyone.

see attached log file

yours,
albert

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xscreensaver depends on:
ii  libatk1.0-0              2.0.0-1         The ATK accessibility toolkit
ii  libc6                    2.13-4          Embedded GNU C Library: Shared lib
ii  libcairo2                1.10.2-6        The Cairo 2D vector graphics libra
ii  libfontconfig1           2.8.0-2.2       generic font configuration library
ii  libfreetype6             2.4.4-1         FreeType 2 font engine, shared lib
ii  libgdk-pixbuf2.0-0       2.23.3-3        GDK Pixbuf library
ii  libglade2-0              1:2.6.4-1       library to load .glade files at ru
ii  libglib2.0-0             2.28.6-1        The GLib library of C routines
ii  libgtk2.0-0              2.24.4-3        The GTK+ graphical user interface 
ii  libice6                  2:1.0.7-1       X11 Inter-Client Exchange library
ii  libpam0g                 1.1.2-3         Pluggable Authentication Modules l
ii  libpango1.0-0            1.28.3-6        Layout and rendering of internatio
ii  libsm6                   2:1.2.0-1       X11 Session Management library
ii  libx11-6                 2:1.4.3-1       X11 client-side library
ii  libxext6                 2:1.3.0-1       X11 miscellaneous extension librar
ii  libxi6                   2:1.4.2-1       X11 Input extension library
ii  libxinerama1             2:1.1.1-1       X11 Xinerama extension library
ii  libxml2                  2.7.8.dfsg-2+b1 GNOME XML library
ii  libxmu6                  2:1.1.0-2       X11 miscellaneous utility library
ii  libxpm4                  1:3.5.9-1       X11 pixmap library
ii  libxrandr2               2:1.3.1-1       X11 RandR extension library
ii  libxrender1              1:0.9.6-1       X Rendering Extension client libra
ii  libxt6                   1:1.1.1-1       X11 toolkit intrinsics library
ii  libxxf86vm1              1:1.1.1-1       X11 XFree86 video mode extension l
ii  xscreensaver-data        5.13-1          data files to be shared among scre

Versions of packages xscreensaver recommends:
ii  libjpeg-progs       8c-1                 Programs for manipulating JPEG fil
pn  miscfiles | wordlis <none>               (no description available)
ii  perl [perl5]        5.12.3-6             Larry Wall''s Practical
Extraction
ii  xli                 1.17.0+20061110-3+b1 command line tool for viewing imag

Versions of packages xscreensaver suggests:
pn  fortune                       <none>     (no description available)
pn  gdm3 | kdm-gdmcompat          <none>     (no description available)
ii  iceweasel [www-browser]       4.0.1-2    Web browser based on Firefox
pn  qcam | streamer               <none>     (no description available)
pn  xdaliclock                    <none>     (no description available)
pn  xfishtank                     <none>     (no description available)
pn  xscreensaver-gl               <none>     (no description available)

-- no debconf information
-------------- next part --------------


##########################################################################
xscreensaver: 12:20:06: logging to "log.txt" at Fri May 20 12:20:06
2011
##########################################################################

xscreensaver 5.13, copyright (c) 1991-2008 by Jamie Zawinski <jwz at
jwz.org>.
xscreensaver: 12:20:06: running as albert/albert (1000/1000)
xscreensaver: 12:20:06: in process 2295.
xscreensaver: 12:20:06: running on display ":0"
xscreensaver: 12:20:06: vendor is The X.Org Foundation, 11001000.
xscreensaver: 12:20:06: useful extensions:
xscreensaver: 12:20:06:   MIT Screen-Saver (disabled at compile time)
xscreensaver: 12:20:06:   Shared Memory (1.1)
xscreensaver: 12:20:06:   Double-Buffering (1.0)
xscreensaver: 12:20:06:   Power Management (1.1)
xscreensaver: 12:20:06:   GLX
xscreensaver: 12:20:06:   XF86 Video-Mode (2.2)
xscreensaver: 12:20:06:   XC Misc (disabled at compile time)
xscreensaver: 12:20:06:   Xinerama (1.1)
xscreensaver: 12:20:06:   Resize-and-Rotate (1.3)
xscreensaver: 12:20:06:   XInput
xscreensaver: 12:20:06: screen 0 non-colormapped depths: 0 24.
xscreensaver: 12:20:06: WARNING: RANDR and Xinerama report different
xscreensaver: 12:20:06: 		screen layouts!  Believing RANDR.
xscreensaver: 12:20:06: screens in use: 1
xscreensaver: 12:20:06:    0/0: 800x480+0+0 (LVDS1)
xscreensaver: 12:20:06: rejected screens: 2
xscreensaver: 12:20:06:    1/0: 0x0+0+0 (VGA1) -- output disabled
xscreensaver: 12:20:06:    2/0: 0x0+0+0 (TV1) -- output disabled
xscreensaver: 12:20:06: selecting RANDR events
xscreensaver: 12:20:06: not using XInputExtension.
xscreensaver: 12:20:06: consulting /proc/interrupts for keyboard activity.
xscreensaver: 12:20:06: 0: visual 0x21 (TrueColor,   depth: 24, cmap: default)
xscreensaver: 12:20:06: 0: saver window is 0xe00001.
xscreensaver: 12:20:06: selecting events on extant windows... done.
xscreensaver: 12:20:06: awaiting idleness.

##############################################################################

xscreensaver: 12:20:12: X Error!  PLEASE REPORT THIS BUG.
xscreensaver: 12:20:12: screen 0/0: 0xa9, 0x0, 0xe00001

##############################################################################

X Error of failed request:  BadMatch (invalid parameter attributes)
  Major opcode of failed request:  131 (DPMS)
  Minor opcode of failed request:  6 (DPMSForceLevel)
  Serial number of failed request:  675
  Current serial number in output stream:  676

#######################################################################

    If at all possible, please re-run xscreensaver with the command
    line arguments `-sync -verbose -log log.txt'', and reproduce this
    bug.  That will cause xscreensaver to dump a `core'' file to the
    current directory.  Please include the stack trace from that core
    file in your bug report.  *DO NOT* mail the core file itself!  That
    won''t work.  A "log.txt" file will also be written. 
Please *do*
    include the complete "log.txt" file with your bug report.

    http://www.jwz.org/xscreensaver/bugs.html explains how to create
    the most useful bug reports, and how to examine core files.

    The more information you can provide, the better.  But please
    report this bug, regardless!

#######################################################################


xscreensaver: 12:20:10: LOCK ClientMessage received; activating and locking.
xscreensaver: 12:20:10: 0: locked mode switching.
xscreensaver: 12:20:10: user is idle (ClientMessage)
xscreensaver: 12:20:10: blanking screen at Fri May 20 12:20:10 2011.
xscreensaver: 12:20:10: 0: grabbing keyboard on 0xa9... GrabSuccess.
xscreensaver: 12:20:10: 0: grabbing mouse on 0xa9... GrabSuccess.
xscreensaver: 12:20:10: fading...
xscreensaver: 12:20:12: fading done.