http://bugzilla.novell.com/show_bug.cgi?id=577193 http://bugzilla.novell.com/show_bug.cgi?id=577193#c0 Summary: Gnome screensaver does not lock screen until user/attacker action Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: s.handgraaf@xs4all.nl QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7) Gecko/20091222 SUSE/3.5.7-1.1.1 Firefox/3.5.7 The gnome screensaver does not always lock the screen after the specified desktop idle period has passed. An attacker can misuse this to view the content on the screen and/or perform malicious actions on behalf of the user loged on. The following scenario is an example of such situation with the Firefox web browser. It is suspected the gnome screensaver does not lock the screen in other circumstances as well. The user has set the idle timer for the gnome screensaver to -for example- 1 minute. Then the user starts firefox as provided with the distribution. The user enters some characters (eg: suse) in the address field of the location bar. This makes the browser show drop down fields with address susgestion. The cursor is still blinking in the address field, the mouse is still on the address field, when the user leaves the system unattended. After 1 minute the screensaver does not lock the screen, an attacker physically visiting the system can still view the content of the screen and even perform actions by use of the keyboard - like scroll through the drop down fields disclosing visited urls of the user. With some actions, like moving the mouse pointer, the gnome screensaver is activated at will of the attacker. On opensuse 11.2 final with latest updates this issue has been noticed and reproduced. Reproducible: Always Steps to Reproduce: 1. configure gnnome screensaver to start after a specific period of idle time 2. start firefox with history of visited urls 3. click on address field and type characters that match any visited urls 4. when drop down box is displayed under address field, leave system idle with mouse pointer still over address field 5. after idle period the screensaver does not lock the screen 6. after some action (for instance mouse pointer movement) the screensaver does lock the screen Actual Results: 1) Screen remains unlocked even if the user does not avtively provide any input to the system by an input device. 2) Screen remains unlocked even if the user performs actions after the screensaver should have locked the screen. Expected Results: The gnome screensaver should be forced to lock the screen if no input was provided tot the system by the user after a predefined period of time. Question is why gnome screensaver 'prefers' to ignore lack of active user input over apparant input/non-idle notice from an application such as firefox.

From a security perspective I consider this a major issue since any application can apperantly force the gnome screensaver not to lock the screen without reconfiguration of the screensaver, allowing information disclosure and even actions. However, since the attacker must have physical access or already have control over the system I set the severity to normal.

If this is considered normal behaviour I would expect a clear warning at the configuration of the screensaver about what is considered as idle. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.