Xfce4-screensaver 0.1.9 Is Released With A Critical Security Fix
Xfce4-screensaver has, so far, had a really embarrassing adn very unfortunate bug which allowed anyone to unlock a machine locked with Xfce4-screensaver by connecting a docking station or a few extra monitors. Xfce developer Sean Davis has addressed this major security flaw as well as several other less embarrassing bugs in the latest Xfce4-screensaver release.
Unlocking a machine locked with Xfce's screensaver
xfce4-screensaver has long been a simple matter of turning two monitors on at the exact same time. That makes Xfce4-screensaver versions prior to 0.1.9 segfault and crash - leaving the machine unlocked. This very unfortunate Xfce bug #16102 has been open since October 29th 2019 and we have pointed fingers at it several times before. Xfce developer Sean Davis has finally closed this gaping security hole. He explained that the embarrassingly long delay before this security vulnerability was addressed was due to "real life conflicts" in a brief comment on March 22nd. He did not elaborate and we did not ask for further details since it is likely none of our business.
Xfce4-screensaver 0.1.9 addresses another less serious security related issue as well: Previous versions would lock the screen only after a suspended machine returns from suspend. This new version makes sure that the screen is locked before a machine suspends or hibernates. This prevents a hostile attacker from seeing the machines desktop for 1-2 seconds when it wakes up from a suspended state.
The complete changelog between xfce4-screensaver 0.1.9 and 0.1.8, released back in August 2018, is as follows:
- Replace deprecated GTimeVal usage
- Rebuild windows on monitor reconfiguration
- Draw overlays during window reconstruction to protect screen
- Do not activate DPMS when screensaver is inactive (bug #16327)
- Better handling of multi-monitor and lid-close events (bug #16102)
- Update LINGUAS (bug #15949)
- Fix decimal properties when running through atof
- Return 1 on lock command failure (bug #15945)
- Rename 'Pictures folder' to 'Slideshow' (bug #15589)
- Raise NameError and TypeError (bug #15830)
- Fix float parsing error (bug #16295)
- Fix inhibitor proxying (bug #16356)
- Fix inhibitor listing in xfce4-screensaver-command (bug #16355)
- Add systemd sleep inhibitor (bug #15929)
- Fix dbus inhibition (bug #16365)
- dbus: Prevent overzealous activation (bug #16365)
The source for xfce4-screensaver 0.1.9 can be acquired from archive.xfce.org. Distributions will, hopefully, add the new versions to their repositories since this is a very security-critical release. Unlocking a machine locked with a previous version is, after all, trivial.