Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4642 to the following vulnerability: gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface to determine session idle time, even when an Xfce desktop such as Xubuntu or Mythbuntu is used, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536381 http://bugzilla.xfce.org/show_bug.cgi?id=5927 https://bugzilla.gnome.org/show_bug.cgi?id=592093 https://launchpad.net/bugs/411350 https://launchpad.net/bugs/493573
Well, I don't think this affects the Xfce spin at least. We are using gdm, which requires gnome-session, so we have that installed on all the Xfce spin installs. It would be possible to switch to kdm/slim/whatever and remove gnome-session and gdm and run into this, but I don't think many people would do so. Perhaps gnome-screensaver should grow a dep on gnome-session to make sure it pulls in the needed functionality?
It's a bit of a stretch to call this is a security vulnerability. There are lots of misconfigurations of the system that can result in an insecure desktop. This is just another one. A package dep won't help here. gnome-session has to be running the session for idle detection to work. gnome-screensaver could potentially check for the org.gnome.SessionManager name on the bus or whatever, but it certainly isn't a security issue that it doesn't. It's /gnome/ screensaver. You're supposed to run it in gnome. Running it outside of gnome isn't one of its project goals and it's not something that's supported. It could potentially work in environments outside of gnome if they implement the same required interfaces, but that's a big if and it's up to those environments to provide those interfaces.