Now-Closed KDE Vulnerabilities Remind Us X11 Screen Locks / Screensavers Are Insecure

In addition to KDE Plasma 5.2 bringing many new features with today's release, it also addresses some security vulnerabilities concerning KDE's screen locker. Of course, to any longtime Phoronix readers following our frequent X11/X.Org coverage, this hardly comes as a surprise.

X11 is insecure. X11 doesn't have the concept of a screen-locker, frequently is affected by large number of security vulnerabilities dating back many years, etc. Security researchers even say X.Org's security is worse than it looks. Back in 2012 an X.Org Server bug showed just how easy it is to break the screensavers and any screen lock that may be employed by the system.

The newest example of an X11 screen lock issue is with Martin Gräßlin finding, exploiting, and fixing two vulnerabilities within the modern KDE screen lock. There was one issue with the QtQuick UI used for the screen lock and the second issue was about the usage of X11 by the screen locker.

Those interested in the details of the latest X11 screen locking woes on KDE can read Martin's blog post. He also whipped up a fake KDE screen lock in about one hour to demonstrate how lock screens on X11 are just like any other client and cannot be trusted.

At least when Wayland finally takes over, the security situation improves and allows the screen locking mechanism to be part of the compositor rather than just another client.