[dev] Re: [slock] Where to report possible security vulnerability

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Chris Down <chris_AT_chrisdown.name>
Date: Tue, 7 Jul 2015 09:35:08 +0100

Thanks for your replies. I talked to Markus privately, and it seems this
issue was fixed in April (I was running a release version, not HEAD, my bad).

The vulnerability was pretty limited anyway. It basically involves:

- Lock the screen
- Send EDID modelines with a higher res than at the time of lock
- Wait for the display to be resized
- Part of the screen underneath slock is now visible

I assume that, even before this patch, doing something meaningful with this
would likely require physical access to the machine, so it doesn't seem very
worrying.

Sorry for the noise. :-)
Received on Tue Jul 07 2015 - 10:35:08 CEST

This archive was generated by hypermail 2.3.0 : Tue Jul 07 2015 - 10:36:09 CEST