[LWN Logo]

Date:	Thu, 24 Jun 1999 11:41:26 +0000
From:	Martin Jones <mjones@POWERUP.COM.AU>
Subject:      Re: Security flaw in klock
To:	BUGTRAQ@NETSPACE.ORG

A patch to fix this bug is attached at the end of this mail.

An explanation of the bug:

1. A timer is set to delete the passwd entry dialog after
   a period of inactivity (5secs).
2. When the user hits enter a program is run (kcheckpass) to
   determine whether a valid password was entered.
3. While klock is waiting for kcheckpass to complete it calls
   QApplication::processEvents().

So if the timer is triggered while we are waiting for
kcheckpass to complete, the dialog is deleted.  When
kcheckpass completes, we continue on but the dialog has
been deleted from under us -> crash.

This is easier to replicate if kcheckpass is slow on your
particular machine.  I can replicate this bug very easily
by adding a sleep(2) to kcheckpass.

The fix:

Stop the timer when Enter is pressed, thereby preventing
the dialog from being deleted while kcheckpass is running.

-------------------------------- cut -----------------------
diff -u -r1.13.4.2 saver.cpp
--- saver.cpp   1999/05/28 09:37:28 1.13.4.2
+++ saver.cpp   1999/06/24 10:42:34
@@ -151,6 +151,7 @@
            break;

        case Key_Return:
+            timer.stop();
            waitForAuthentication = true;
            if ( tryPassword() )
                emit passOk();
-------------------------------- cut -----------------------

Martin Jones
mjones@kde.org