Bug#757840: xscreensaver: distort shows 3rd account's screen

Mon, 11 Aug 2014 12:03:54 -0700 

Package: xscreensaver
Version: 5.26-1
Severity: important

Dear Maintainer,

Below is a description of a security flaw in the 'distort' option of 
xscreensaver. In short, when changing from account 'A' to account 'B', a 
distort of account 'C' is displayed, thus compromising the privacy and security 
of account 'C'.

The environment is a multi-user system on a single physical termianl. Two user 
accounts are running X sessions; The third is not, and never has.

Switching between accounts is being done by keybindings. The first Xsession 
account was bound to Ctrl-Alt-F7, the second to Ctrl-Alt-F2, and the noX 
account to Ctrl-Alt-F1.

In the observed incident, a switch was made from tty7 (displaying windows of 
several processes) to tty2 (displaying windows of several different processes), 
yet the screenasver displayed the emacs session being run on the third account, 
running on tty1


-- System Information:
Debian Release: jessie/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xscreensaver depends on:
ii  libatk1.0-0          2.12.0-1
ii  libc6                2.19-7
ii  libcairo2            1.12.16-2
ii  libfontconfig1       2.11.0-5
ii  libfreetype6         2.5.2-1
ii  libgdk-pixbuf2.0-0   2.30.7-1
ii  libglade2-0          1:2.6.4-2
ii  libglib2.0-0         2.40.0-3
ii  libgtk2.0-0          2.24.24-1
ii  libice6              2:1.0.9-1
ii  libpam0g             1.1.8-3
ii  libpango-1.0-0       1.36.3-1
ii  libpangocairo-1.0-0  1.36.3-1
ii  libpangoft2-1.0-0    1.36.3-1
ii  libsm6               2:1.2.2-1
ii  libx11-6             2:1.6.2-2
ii  libxext6             2:1.3.2-1
ii  libxi6               2:1.7.4-1
ii  libxinerama1         2:1.1.3-1
ii  libxml2              2.9.1+dfsg1-4
ii  libxmu6              2:1.1.2-1
ii  libxpm4              1:3.5.11-1
ii  libxrandr2           2:1.4.2-1
ii  libxrender1          1:0.9.8-1
ii  libxt6               1:1.1.4-1
ii  libxxf86vm1          1:1.1.3-1
ii  xscreensaver-data    5.26-1

Versions of packages xscreensaver recommends:
ii  libjpeg-progs         8d1-1
ii  perl [perl5]          5.18.2-7
ii  wamerican [wordlist]  7.1-1

Versions of packages xscreensaver suggests:
ii  elinks [www-browser]     0.12~pre6-5
ii  fortune-mod [fortune]    1:1.99.1-7
ii  gdm3                     3.12.2-2
ii  iceweasel [www-browser]  32.0~b3-1
ii  lynx-cur [www-browser]   2.8.9dev1-2
pn  qcam | streamer          <none>
ii  w3m [www-browser]        0.5.3-16
pn  xdaliclock               <none>
pn  xfishtank                <none>
pn  xscreensaver-gl          <none>

-- no debconf information


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to