(no title)

Actually this is not the first time this kind of bug happening. A few years ago, gnome-screensaver suffers from exactly the same kind of Bug: Keeping <ENTER> pressed would trigger a bug in GTK+ and crash the screen locker.

However jerking off to discussions about how to properly implement screen locker password input completely misses the point: That locking a screen/session from "inside" always will be flawed. There's an "easy" way to fix it: Instead of trying to lock a session with an inside locker, it should be detached from the terminal instead.

If you're working on just the text console this is a piece of cake: Use tmux or screen for the login shell and as soon as you detach from it you're getting logged out (a lot of people use this setup). There's no way a screen locker crash would pose a security thread, because there's no screen locker at all. Just the regular login which when crashing gets respawned.

Had XFree86/Xorg the capability to detach the X server from the screen, this would allow to log out to the regular display manager login and "unlocking" a session would be simply reattaching to it. Unfortunately the internal driver/device model used by XFree86/Xorg made it hard to impossible to implement such a thing (this is not a drawback of the X11 protocol per se, but the widespread implementations of it).

Luckily Linux is moving to a new graphics model and whatever we'll use in a few years, hopefully detaching graphical sessions will become as simple as using tmux/screen; then you'd close a terminal session instead of locking and no longer need a screen locker.

Really? The security bugs that have been reported in gnome-screensaver haven't had anything to do with the libraries it uses, and the bug mentioned in this story isn't even in gnome-screensaver.

Meanwhile, http://www.cvedetails.com/vulnerability-list/vendor_id-1861/... . Security is, in general, difficult.