[CentOS] XScreenSaver

Tue Apr 10 01:34:19 UTC 2018
Stephen John Smoogen <smooge at gmail.com>

On 9 April 2018 at 04:47, Tom Grace <lists-in at deathbycomputers.co.uk> wrote:
> On 09/04/2018 07:47, Nicolas Kovacs wrote:
>> I didn't know a screensaver was that critical.
> It's critical in that XScreenSaver deals with locking the screen/dealing
> with passwords. I believe the fancy animation bits are separate.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

xscreensaver is security critical for the following reasons:
1. Several of the screensavers take user input which may not be the
main user. If the software has a security problem. those plugins could
overwrite the users data.
2. If the user is expecting that the xscreensaver is locking out a
user and it does not then that is security related
3. The way X works is that every X application can listen to all mouse
and keyboard actions. This also has a security context.

For many sites, any of these make Xscreensaver into a high security
item. It makes perfect sense from jwz's point of view because several
times something 'simple' in an xscreensaver code has turned into a
meltdown somewhere. And the fact that people email him before emailing
the EPEL maintainer or opening a bugzilla about it says his time is
better served saying "not my problem mate."

Stephen J Smoogen.