Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
XScreenSaver
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Security == In addition to [[Sandbox (computer security)|sandboxing]] the display modes, the XScreenSaver daemon links with as few libraries as possible. In particular, it does not link against GUI frameworks like [[GTK]] or [[KDE]], but uses only raw [[Xlib]] for rendering the unlock dialog box. In recent years, some [[Linux distributions]] have begun using the [[gnome-screensaver]] or [[KDE|kscreensaver]] screen-blanking frameworks by default instead of the framework included with XScreenSaver.<ref> {{cite web | title = XScreenSaver FAQ regarding KDE/Gnome | url = https://www.jwz.org/xscreensaver/faq.html#kde | access-date = 24 December 2020 }} </ref> In 2011, [[gnome-screensaver]] was forked as both [[MATE (software)|mate-screensaver]] and [[Cinnamon (desktop environment)|cinnamon-screensaver]]. Earlier versions of these frameworks still depended upon the XScreenSaver collection of screen savers, which is over 90% of the package.<ref> {{cite web | title = XScreenSaver source code distribution | date = 8 December 2020 | url = https://www.jwz.org/xscreensaver/download.html | access-date = 24 December 2020 }} </ref> However, in 2011, [[gnome-screensaver]] version 3 dropped support for screensavers completely, supporting only simple screen blanking,<ref> {{cite mailing list |url = http://mail.gnome.org/archives/gnome-shell-list/2011-March/msg00340.html |title = Re: What is the status of the screensaver in GNOME3? |first = Giovanni |last = Campagna |date = 21 March 2011 |mailing-list = gnome-shell }} </ref> and as of 2018, [[Linux Mint]]'s [[Cinnamon (software)|cinnamon-screensaver]] 4.0.8 no longer supports the XScreenSaver hacks.<ref> {{cite web | title = Linux Mint 19.1 Announcement | date = 20 December 2018 | url = https://blog.linuxmint.com/?p=3715 | access-date = 24 December 2020 }} </ref> Those Linux distributions that have replaced XScreenSaver with other screen-locking frameworks have suffered notable security problems. Those other frameworks have a history of security bugs that allow the screen to be un-locked without a password, e.g., by simply holding a key down until the locker crashes.<ref> {{cite web | title = Gnome-Screensaver Key Flood | date = 16 April 2014 | url = https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 | access-date = 24 December 2020 }} </ref><ref> {{cite web | title = Cinnamon-Screensaver Key Flood | website = [[GitHub]] | date = 22 August 2014 | url = https://github.com/linuxmint/Cinnamon/issues/3443 | access-date = 24 December 2020 }} </ref><ref> {{cite web | title = CVE-2014-1949, Cinnamon-Screensaver Lock Bypass | date = 16 January 2015 | url = https://nvd.nist.gov/vuln/detail/CVE-2014-1949 | access-date = 24 December 2020 }} </ref><ref> {{cite web | title = Mandriva Security Advisory MDVSA-2015:162 | date = 29 March 2015 | url = https://www.securityfocus.com/archive/1/535119/30/0/ | access-date = 24 December 2020 }} </ref><ref> {{cite web | title = CVE-2015-7496, Hold ESC to unlock Gnome-session GDM | date = 24 November 2015 | url = https://nvd.nist.gov/vuln/detail/CVE-2015-7496 | access-date = 18 January 2021 }} </ref><ref> {{cite web | title = CVE-2019-3010, Privilege Escalation in Oracle Solaris XScreenSaver fork | date = 23 October 2019 | url = https://nvd.nist.gov/vuln/detail/CVE-2019-3010 | access-date = 24 December 2020 }} </ref><ref> {{cite web | title = Cinnamon-screensaver lock by-pass via the virtual keyboard | website = [[GitHub]] | date = 15 January 2021 | url = https://github.com/linuxmint/cinnamon-screensaver/issues/354 | access-date = 15 January 2021 }} </ref> In 2004, Zawinski had written about the architectural decisions made in XScreenSaver with the goal of avoiding this very class of bug, <ref> {{cite web | title = XScreenSaver: On Toolkit Dialogs | date = 19 October 2004 | url = https://www.jwz.org/xscreensaver/toolkits.html | access-date = 24 December 2020 }} </ref> leading him to quip in 2015, "If you are not running XScreenSaver on Linux, then it is safe to assume that your screen does not lock."<ref> {{cite web | title = jwz.org blog post about Gnome security bugs | date = 4 April 2015 | url = https://www.jwz.org/blog/2015/04/i-told-you-so-again/ | access-date = 24 December 2020 }} </ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)