#679973 xscreensaver-data: disable hacks that reveal the desktop

Package:
xscreensaver-data
Source:
xscreensaver
Description:
Screen saver modules for screensaver frontends
Submitter:
Sven Ulland
Date:
2014-08-27 18:48:05 UTC
Severity:
minor
#679973#5
Date:
2012-07-02 19:03:15 UTC
From:
To:
Some hacks reveal the system's desktop, which is a potential security
issue. The xscreensaver package depends on xscreensaver-data, which
includes three hacks of this type: distort, ripples and slidescreen.

I'd suggest moving these from xscreensaver-data to -data-extra, as
they are enabled by default if a user installs the xscreensaver
package, and locking the screen could then provide a false sense of
security when it comes to information leak.

#679973#10
Date:
2014-08-27 16:20:02 UTC
From:
To:
It would also help to just disable these screensavers in the default
config.

In any case, this is a serious security issue, as XScreenSaver is
installed automatically with many window managers/DEs and users expect
it to automatically protect their session.

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.14-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xscreensaver depends on:
ii  libatk1.0-0          2.12.0-1
ii  libc6                2.19-7
ii  libcairo2            1.12.16-2
ii  libfontconfig1       2.11.0-5
ii  libfreetype6         2.5.2-1
ii  libgdk-pixbuf2.0-0   2.30.7-1
ii  libglade2-0          1:2.6.4-2
ii  libglib2.0-0         2.40.0-3
ii  libgtk2.0-0          2.24.23-1
ii  libice6              2:1.0.8-2
ii  libpam0g             1.1.8-3
ii  libpango-1.0-0       1.36.3-1
ii  libpangocairo-1.0-0  1.36.3-1
ii  libpangoft2-1.0-0    1.36.3-1
ii  libsm6               2:1.2.1-2
ii  libx11-6             2:1.6.2-2
ii  libxext6             2:1.3.2-1
ii  libxi6               2:1.7.2-1
ii  libxinerama1         2:1.1.3-1
ii  libxml2              2.9.1+dfsg1-3
ii  libxmu6              2:1.1.2-1
ii  libxpm4              1:3.5.10-1
ii  libxrandr2           2:1.4.2-1
ii  libxrender1          1:0.9.8-1
ii  libxt6               1:1.1.4-1
ii  libxxf86vm1          1:1.1.3-1
ii  xscreensaver-data    5.26-1

Versions of packages xscreensaver recommends:
ii  libjpeg-progs         8d-2
ii  miscfiles [wordlist]  1.4.2.dfsg.1-9.1
ii  perl [perl5]          5.18.2-4

Versions of packages xscreensaver suggests:
pn  fortune                  <none>
pn  gdm3 | kdm-gdmcompat     <none>
ii  iceweasel [www-browser]  31.0-3
ii  lynx-cur [www-browser]   2.8.9dev1-2
pn  qcam | streamer          <none>
pn  xdaliclock               <none>
pn  xfishtank                <none>
pn  xscreensaver-gl          <none>

- -- no debconf information
iQJOBAEBCAA4BQJT/gUiMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQt5o8FqDE8pa5oxAAsIszKl5eKSI8CB0d0Xa5
YWKYhNtSnX7uLnzPiOgTR+VD0OzwxHDjkHNqbuuLZA21werC8IRmZRjJCE29b+Kq
PR3SMxmWHnFR5mAAgaRVi6sMCY1R7ZnAb9Az/tm2EXx5ck/4md6jBQ460m07YkZs
S9h7/WIGLJ2tAFbKo5b8rTohmKK7u8UmeeI+w7daipAtFknyFU8Kw4xXtAafgNYB
RLLS1gY3i7VADh08jvY8Q8C/apbyFxUPsrmQEhNBxMKpdx54CGHdcGWn9SGtOOKn
uJR/tMUW+wPQZokHqNTO2BQQoFu6UYHUa3VuUribWfCqp87AbnyJoR6I+F8z//OX
83DkHfXirl4qUYlYAhkVUgAveTHIWPDnZyy4PhM50KHh/3Xp+x+6TA1Pk93g0/Ti
TuUgwcdOv4PHKYfKGdXSK7o/ADFsWvv6wkbEZktXAZ87OhsHuwneNkUUNfzeddp3
15exxADwk9CixtIglNhSz1sl7wjGxzcbFog0qnR8nOdVVcad+IXvXczRMR/akmCV
1VGlZsEfbd6jinPk8JU6QYcMIAN6e8aoGKcIIuVzLK9jPvRmtIXD3DvigZILtRR3
KlO6m0xvgFKpbMlFoGGqeMAhJBan+G0XJeQb7u6yGhikwJIMGngtEPzVMdpwUnfm
ViIF/EzeldzMLsVFMzlz9Jc=
=A/xy
-----END PGP SIGNATURE-----

#679973#17
Date:
2014-08-27 18:37:34 UTC
From:
To:
I think you're being silly, but if you want to do that you can just set the default for grabDesktopImages to false. No need to disable hacks.

If you do that you'd better make sure chooseRandomImages is true and imageDirectory has a sensible default. configure.in line 3561.