Mailinglist Archive: opensuse-bugs (5243 mails)

< Previous Next >
[Bug 802959] Security hazard: KDE screen locker says "session locked", but unlocks without password

https://bugzilla.novell.com/show_bug.cgi?id=802959

https://bugzilla.novell.com/show_bug.cgi?id=802959#c4


Kalenz . <me@xxxxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 - None |P1 - Urgent
CC| |me@xxxxxxxxx
Version|RC 1 |RC 2
Summary|Screenlogger shows password |Security hazard: KDE screen
|field when not needed |locker says "session
| |locked", but unlocks
| |without password
Severity|Major |Critical
Flag| |SHIP_STOPPER?

--- Comment #4 from Kalenz . <me@xxxxxxxxx> 2013-03-07 15:14:54 UTC ---
When 12.3 is released, users will be screaming for blood over two bugs: this
one, and Bug 800514. Would the gods of SHIP_STOPPER flagging give this their
immediate attention please!

I don't care whether we choose to blame the KDE folks upstream; a situation
where a computer displays an unlock dialogue which states: "The session has
been locked by $user" and requests a password, but then this dialogue
disappears instantly when anybody just waves a mouse, is a serious security
hazard.

Current DEFAULT setting on vanilla openSUSE/KDE install (12.3 RC2):
-- Start "Simple Locker" screen locker after 4 minutes
-- Do not require password

Unacceptable!! Instead, "Blank screen screensaver" should be selected.

The "Simple Locker" choice should not allow unticking the Require Password
option; this is a KDE problem, and I will report this upstream.

However, this ridiculous default setting is an openSUSE problem and must be
fixed prior to 12.3 release.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >