https://bugs.gentoo.org/show_bug.cgi?id=401645 Jeroen Roovers 2012-01-31 17:23:28 UTC 1) In a terminal, I run `slock & sleep 5; <some X app>' 2) After about 10 seconds, I press some keys that slock would interpret as a password. 3a) It does not allow me to use <some X app> - all keyboard controls are captured. 3b) Pointer device input is blocked - <some X app> cannot be controlled through the mouse. 4) Entering the correct password unlocks the screen and makes <some X app> focused and in the foreground. The only harm I see here is a possible unwanted disclosure of the information that <some X app> happens to display at the time, but it's a vulnerability sure enough.
There's also another reproducer in Comment #4. Neither works for me with slock-0.9-9.fc16.x86_64 or slock-0.9-10r.fc16.x86_64, though -- the apps stay hidden, slock is in the foreground and eats all the input. This is correct behavior, afaic. I cannot reproduce this on F16.
http://hg.suckless.org/slock/rev/891a4984aba6 http://hg.suckless.org/slock/rev/91e329fb41b7
Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/06/2
Longpoke 2012-02-01 03:41:11 UTC You need to run the other program *concurrently*. I'll try and make the reproduction steps clearer: 1. run sleep <n>; <X-program> 2. lock the screen as fast as you can 3. make sure <n> seconds has passed, so that you know <X-program> has started 4. press some keys (any keys (doesn't have to be your actual password), don't hit enter) Now the black screen will go away and you can see the current active desktop along with <X-program>. Where <X-program> is the name of some X program that will create a window and leave it open when executed, i.e: pcmanfm.
Created slock tracking bugs for this issue Affects: fedora-all [bug 812086]
(In reply to comment #4) > Longpoke 2012-02-01 03:41:11 UTC > > You need to run the other program *concurrently*. I'll try and make the > reproduction steps clearer: > > 1. run sleep <n>; <X-program> > 2. lock the screen as fast as you can > 3. make sure <n> seconds has passed, so that you know <X-program> has started > 4. press some keys (any keys (doesn't have to be your actual password), don't > hit enter) > > Now the black screen will go away and you can see the current active desktop > along with <X-program>. > > Where <X-program> is the name of some X program that will create a window and > leave it open when executed, i.e: pcmanfm. I've tried all those reproducers around, including yours now. I've never hit the issue. Some say this only happens with compositing managers and just sometimes...? (In reply to comment #5) > Created slock tracking bugs for this issue > > Affects: fedora-all [bug 812086] As far as I know, this has been fixed in January and has been in f16 stable for some time now. I cannot verify it because of the reason stated above.
This was fixed in slock-0.9-10.fc16 on January 31.