Previously, previously, previously, previously, previously, previously.
Stealing Your Private YouTube Videos, One Frame at a Time
I told you so, 2021 edition
If you are not running XScreenSaver on Linux, then it is safe to assume that your screen does not lock.
- CVE-2019-3010, Privilege escalation in Oracle Solaris screen saver fork.
- CVE-2015-7496: Hold ESC to unlock Gnome-session GDM.
- CVE-2014-1949, MDVSA-2015:162: Press Menu key then ESC in Cinnamon-screensaver, get shell.
- Hold down keys, unlock Cinnamon-screensaver.
- Hold enter, unlock Gnome-screensaver.
You will recall that in 2004, which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."
And they went and made that happen.
Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe.
Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!
These bugs are a shameful embarrassment of design -- as opposed to merely bad code.
This same bug keeps cropping up in these other screen lockers for several reasons.
- Writing security-critical code is hard. Most people can't do it.
- Locking and authentication is an OS-level problem. And while X11 is at the heart of the OS of a Linux desktop computer, it was designed with no security to speak of, and so lockers have to run as normal, unprivileged, user-level applications. That makes the problem even harder.
- This mistake of the X11 architecture can never, ever be fixed. X11 is too old, too ossified, and has too many quagmire-trapped stakeholders to ever make any meaningful changes to it again. That's why people keep trying to replace X11 -- and failing, because it's too entrenched.
As always, these bugs are terrible because bad security is worse than no security. If you knew for a fact that your screen didn't lock, you would behave appropriately. Maybe you'd log out when you walked away. Maybe you wouldn't use that computer for certain things. But a security placebo makes you behave as if it's secure when in fact it is not.
One of the infuriating parts of these recurring bugs is that the screen-locker part of XScreenSaver isn't even the fun part! I do not enjoy working on it. I never have. I added it in response to demand and necessity, not because it sounded like a good time. I started and continue this project as an outlet for making art. I'd much rather be spending my time pushing triangles.
And in not-at-all-unrelated news:
Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mate-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.
XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude.
If they had asked me, "can you dual-license this code", I might have said yes. If they had asked, "can we strip your name off and credit your work as (C) William Jon McCann instead"... probably not.
Mate-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.
I eagerly await hearing how they're going to make this right.
Since writing the above, I significantly refactored the security-critical parts of XScreenSaver, making it even safer. Details of what was involved are in my post about the XScreenSaver 6.00 release.
In the intervening two years, the various Linux distros have done nothing to address their copyright- and license-infringement issues.
[ Monkey's paw curls ]
Now there's an anti-abortion billboard too.