Bug#643976: xdg-screensaver does not exit

martin f krafft Sat, 01 Oct 2011 04:54:29 -0700

Package: xdg-utils
Version: 1.1.0~rc1-2
Severity: important
Tags: security
File: /usr/bin/xdg-screensaver


Marking this "important" for its potential security implications.
I'd even rate this "serious", but I would like to leave that choice
up to the maintainers.

I just found the following on my system:

  madduck    702  0.0  0.0   4148   456 ?        S    Sep21   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02c015fa
  madduck    812  0.0  0.0   4148   452 ?        S    Sep21   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02c00061
  madduck   7210  0.0  0.0   4148   452 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x00c0014a
  madduck   7255  0.0  0.0   4148   452 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x048001e6
  madduck   7325  0.0  0.0   4148   452 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x00c000f9
  madduck   7357  0.0  0.0   4148   452 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x04800061
  madduck   7454  0.0  0.0   4148   448 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x04800061
  madduck  14619  0.0  0.0   4148   452 ?        S    Sep23   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02800199
  madduck  14710  0.0  0.0   4148   448 ?        S    Sep26   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03a00172
  madduck  14930  0.0  0.0   4148   452 ?        S    Sep27   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03e00154
  madduck  15043  0.0  0.0   4148   452 ?        S    Sep27   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03e00168
  madduck  15723  0.0  0.0   4148   452 ?        S    Sep26   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03200168
  madduck  16064  0.0  0.0   4148   452 ?        S    Sep26   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03a00061
  madduck  16136  0.0  0.0   4148   452 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02800182
  madduck  16850  0.0  0.0   4148   456 ?        S    Sep28   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03c00164
  madduck  18344  0.0  0.0   4148   456 ?        S    Sep28   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02e0015a
  madduck  18466  0.0  0.0   4148   452 ?        S    Sep28   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02e000e7
  madduck  18573  0.0  0.0   4148   452 ?        S    Sep28   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02e00168
  madduck  19608  0.0  0.0   4148   452 ?        S    Sep26   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x03600178
  madduck  19856  0.0  0.0   4148   452 ?        S    Sep26   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x0360015e
  madduck  20080  0.0  0.0   4148   452 ?        S    Sep28   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02e00168
  madduck  26791  0.0  0.0   4148   452 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x04800183
  madduck  26880  0.0  0.0   4148   448 ?        S    08:52   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x0160015e
  madduck  26891  0.0  0.0   4148   452 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x048001d4
  madduck  27004  0.0  0.0   4148   452 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x04c00172
  madduck  28246  0.0  0.0   4148   452 ?        S    08:55   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x01605801
  madduck  30301  0.0  0.0   4148   452 ?        S    Sep25   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02e0016e
  madduck  30723  0.0  0.0   4148   452 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x046000e7
  madduck  31454  0.0  0.0   4148   452 ?        S    Sep21   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x02c00061
  madduck  31491  0.0  0.0   4148   456 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x01800154
  madduck  31636  0.0  0.0   4148   452 ?        S    Sep30   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x01806b2a
  madduck  32118  0.0  0.0   4148   456 ?        S    Sep29   0:00 /bin/sh 
/usr/bin/xdg-screensaver suspend 0x04600168

It seems that every time I run vlc, an xdg-screensaver suspend
process is created, but it never exits. As a consequence,
Xscreensaver never triggers on idle and the screen does not get
locked.

An attacker could potentially exploit this on a co-worker who does
not explicitly lock their session before going to lunch, e.g. by
sending a "funny video" in time beforehand. Granted, this is
far-fetched, but it's a problem.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-rc4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

xdg-utils depends on no packages.

Versions of packages xdg-utils recommends:
ii  libfile-mimeinfo-perl  <none>
ii  x11-utils              7.6+3 
ii  x11-xserver-utils      7.6+3 

Versions of packages xdg-utils suggests:
pn  gvfs-bin  <none>

-- no debconf information


-- 
 .''`.   martin f. krafft <[email protected]>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

Bug#643976: xdg-screensaver does not exit

Reply via email to