Description of problem: When unlocking xscreensaver it dies with a SIGPIPE,
regardless of whether password was correct or not. This can give unauthorized
access to users desktops. We ran gdb on xscreensaver and saw the output below,
which indicates the SIGPIPE was getting propogated up from nss_ldap. This seems
like an nss_ldap bug for not dealing with the SIGPIPE but xscreensaver was the
main client we were having a problem with. I will attach the gdb xscreensaver
info and the patch we used to fix xscreensaver.
Version-Release number of selected component (if applicable):
This seems to depend on some timeout with the connection to the LDAP server so
it is not reliably reproduceable. Unlocking my screen 20 times per day may
cause it to crash once or twice.
Steps to Reproduce:
1. run xscreensaver with pam authentication set to use pam_unix
and nsswitch setup to query "files ldap"
2. lock xscreensaver and wait for ldap server to timeout (5 minutes to an hour)
3. try to unlock screen with any password
xscreensaver crashes and unlocks the screen
xscreensaver should NEVER unlock the screen due to any signal it got from a client
Created attachment 92072 [details]
patch to xscreensaver to block/ignore/unblock a sigpipe generated from pam_authenticate call
Created attachment 92073 [details]
gdb summary of xscreensaver crashing
We're having exactly the same problem here. We switched from our
old(er) OpenLDAP implementation to RH ES 2.1 (openldap-2.0.27-2.7.3),
during which we changed "idletimeout 0" to "idletimeout 300" in our
After this change, xscreensaver seems to semi-randomly crash (just
like Jason Wold described). We also use nss_ldap on our HP-UX
machines, and the change causes the entire desktop session to crash
upon unlocking the screensaver. It happens fairly consistently with
particular screensavers on the HP-UX machines, which may also agree
with the "client not handling the SIGPIPE correctly" argument.
This morning, I set "idletimeout" back to "0" (zero). I'll let
everyone know in a few hours if it ends up helping the problem(s).
Red Hat apologizes that these issues have not been resolved yet. We do want to
make sure that no important bugs slip through the cracks.
Red Hat Linux 7.3 and Red Hat Linux 9 are no longer supported by Red Hat, Inc.
They are maintained by the Fedora Legacy project (http://www.fedoralegacy.org/)
for security updates only. If this is a security issue, please reassign to the
'Fedora Legacy' product in bugzilla. Please note that Legacy security update
support for these products will stop on December 31st, 2006.
If this is not a security issue, please check if this issue is still present
in a current Fedora Core release. If so, please change the product and version
to match, and check the box indicating that the requested information has been
If you are currently still running Red Hat Linux 7.3 or 9, please note that
Fedora Legacy security update support for these products will stop on December
31st, 2006. You are strongly advised to upgrade to a current Fedora Core release
or Red Hat Enterprise Linux or comparable. Some information on which option may
be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/.
Any bug still open against Red Hat Linux 7.3 or 9 at the end of 2006 will be
closed 'CANTFIX'. Again, if this bug still exists in a current release, or is a
security issue, please change the product as necessary. We thank you for your
help, and apologize again that we haven't handled these issues to this point.
Does this bug still exists?
If yes, I think just ignoring SIGPIPE is not the right way to fix it, the pam
module should not generate this signal.
Anyways, ignoring fatal signals might improve xscreensaver's robustness.
I believe this was fixed some time ago, probably before EL4 (this bug was filed against RHL9, which predates EL3). Marking as closed. Please reopen this report if you continue to see the problem in 4.8.