- Package:
- xscreensaver-data
- Source:
- xscreensaver
- Description:
- Screen saver modules for screensaver frontends
- Submitter:
- Sven Ulland
- Date:
- 2014-08-27 18:48:05 UTC
- Severity:
- minor
Some hacks reveal the system's desktop, which is a potential security issue. The xscreensaver package depends on xscreensaver-data, which includes three hacks of this type: distort, ripples and slidescreen. I'd suggest moving these from xscreensaver-data to -data-extra, as they are enabled by default if a user installs the xscreensaver package, and locking the screen could then provide a false sense of security when it comes to information leak.
It would also help to just disable these screensavers in the default config. In any case, this is a serious security issue, as XScreenSaver is installed automatically with many window managers/DEs and users expect it to automatically protect their session. - -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.14-1-686-pae (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xscreensaver depends on: ii libatk1.0-0 2.12.0-1 ii libc6 2.19-7 ii libcairo2 1.12.16-2 ii libfontconfig1 2.11.0-5 ii libfreetype6 2.5.2-1 ii libgdk-pixbuf2.0-0 2.30.7-1 ii libglade2-0 1:2.6.4-2 ii libglib2.0-0 2.40.0-3 ii libgtk2.0-0 2.24.23-1 ii libice6 2:1.0.8-2 ii libpam0g 1.1.8-3 ii libpango-1.0-0 1.36.3-1 ii libpangocairo-1.0-0 1.36.3-1 ii libpangoft2-1.0-0 1.36.3-1 ii libsm6 2:1.2.1-2 ii libx11-6 2:1.6.2-2 ii libxext6 2:1.3.2-1 ii libxi6 2:1.7.2-1 ii libxinerama1 2:1.1.3-1 ii libxml2 2.9.1+dfsg1-3 ii libxmu6 2:1.1.2-1 ii libxpm4 1:3.5.10-1 ii libxrandr2 2:1.4.2-1 ii libxrender1 1:0.9.8-1 ii libxt6 1:1.1.4-1 ii libxxf86vm1 1:1.1.3-1 ii xscreensaver-data 5.26-1 Versions of packages xscreensaver recommends: ii libjpeg-progs 8d-2 ii miscfiles [wordlist] 1.4.2.dfsg.1-9.1 ii perl [perl5] 5.18.2-4 Versions of packages xscreensaver suggests: pn fortune <none> pn gdm3 | kdm-gdmcompat <none> ii iceweasel [www-browser] 31.0-3 ii lynx-cur [www-browser] 2.8.9dev1-2 pn qcam | streamer <none> pn xdaliclock <none> pn xfishtank <none> pn xscreensaver-gl <none> - -- no debconf information iQJOBAEBCAA4BQJT/gUiMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQt5o8FqDE8pa5oxAAsIszKl5eKSI8CB0d0Xa5 YWKYhNtSnX7uLnzPiOgTR+VD0OzwxHDjkHNqbuuLZA21werC8IRmZRjJCE29b+Kq PR3SMxmWHnFR5mAAgaRVi6sMCY1R7ZnAb9Az/tm2EXx5ck/4md6jBQ460m07YkZs S9h7/WIGLJ2tAFbKo5b8rTohmKK7u8UmeeI+w7daipAtFknyFU8Kw4xXtAafgNYB RLLS1gY3i7VADh08jvY8Q8C/apbyFxUPsrmQEhNBxMKpdx54CGHdcGWn9SGtOOKn uJR/tMUW+wPQZokHqNTO2BQQoFu6UYHUa3VuUribWfCqp87AbnyJoR6I+F8z//OX 83DkHfXirl4qUYlYAhkVUgAveTHIWPDnZyy4PhM50KHh/3Xp+x+6TA1Pk93g0/Ti TuUgwcdOv4PHKYfKGdXSK7o/ADFsWvv6wkbEZktXAZ87OhsHuwneNkUUNfzeddp3 15exxADwk9CixtIglNhSz1sl7wjGxzcbFog0qnR8nOdVVcad+IXvXczRMR/akmCV 1VGlZsEfbd6jinPk8JU6QYcMIAN6e8aoGKcIIuVzLK9jPvRmtIXD3DvigZILtRR3 KlO6m0xvgFKpbMlFoGGqeMAhJBan+G0XJeQb7u6yGhikwJIMGngtEPzVMdpwUnfm ViIF/EzeldzMLsVFMzlz9Jc= =A/xy -----END PGP SIGNATURE-----
I think you're being silly, but if you want to do that you can just set the default for grabDesktopImages to false. No need to disable hacks. If you do that you'd better make sure chooseRandomImages is true and imageDirectory has a sensible default. configure.in line 3561.