GNOME screen lock ineffective in openSUSE Linux - Update
The screen lock of openSUSE 11.2 can be bypassed by the simplest of means. A reader's report prompted The H's associates at heise Security to investigate. Tests confirmed that a locked desktop session can be unlocked without password by holding down the return key. This causes the GNOME screen saver to crash and unlock the desktop after only a few seconds.
The gnome-screensaver-2.28.0-2.3 package is affected in the standard repositories, but older packages could potentially also contain the flaw. In other GNOME 2.28-based Linux distributions such as Ubuntu and Fedora the screen lock mechanism works perfectly. The SUSE Enterprise versions are unlikely to be affected by the problem because they are still based on openSUSE 11.1.
The servers for future updates already offer version 2.28.0-2.4.1 of the GNOME screen saver. Those who depend on the screen lock to prevent others from obtaining unauthorised desktop access are advised to update to the new version. The address of the test update repository is http://download.opensuse.org/update/11.2-test/. The new package can also be downloaded manually (for i586 and x86_64 – direct downloads) and installed on the command line via rpm -Uhv <package_name>.rpm. SUSE has yet to clarify when the update will be transferred to the regular update repositories.
Update: It is not possible to reproduce the problem on all systems. The previously mentioned update is now available as a regular update, but it does not fix the problem. According to Marcus Meissner from the SUSE Security Team, the issue is probably the GNOME bug 598476 – "gnome screen saver crashes when entering password incorrectly 5 times" where the dialogue exits before the shake animation finishes. This has been fixed in the source code repository, but only for GNOME version 2.28.1. Installable packages of this version are not yet available.