Authentication bypass - bug

[pyperanger]

I'm submitting a…

[X] Bug
[ ] Feature Request
[ ] Other (Please describe in detail)

Reproduction Instructions

With i3lock open I double-clicked the "enter" key and was able to authenticate without having to provide my password. I do not know if this is a bug or some functionality I did not read.

Environment

Output of i3lock --version:

i3lock version: i3lock: version 2.9.1 (2017-06-21) © 2010 Michael Stapelberg

[Airblader]

This would be pretty serious. Is this something you can reproduce or did it happen only once?

If so, can you rule out with certainty that you had entered the password previously (and forgot about it)?

Also, was i3lock running for a while already or had you just opened it? If the latter, are you sure it had succeeded locking already? Locking is a process that takes a bit of time as it grabs pointer and keyboard, and can fail.

[pyperanger]

I can do this every time I call i3lock, without even having provided my password at any time.

i3config => bindsym $sup+l exec i3lock -c 000000 -n

audit => type=ANOM_ABEND msg=audit(1541516281.977:1867): auid=1000 uid=1000 gid=1000 ses=2 pid=21833 comm="i3lock" exe="/usr/bin/i3lock" sig=11 res=1

[Airblader]

Can you update to the latest i3lock (2.11) and see if the issue still persists there?

[pyperanger]

OS: Fedora 25 PAM: pam-devel-1.3.0-1.fc25.x86_64 pam-1.3.0-1.fc25.x86_64

2.9.1 => Bug found 2.10 => Still bugged 2.11 => Trying to compile .. some problems hehe

[Airblader]

Since it seems to be i3lock crashing, if 2.11 still has this issue, would be good if we could pull a gdb backtrace to identify the issue.

If you need help with the compilation issues, just let us know.

[pyperanger]

During the reinstallation of some libraries (specifically PAM 1.3.0), the bug was no longer detected. It's probably been a problem with internal libs than the i3lock itself. Sorry about that.

If I notice it again, I'll report it in more detail.

[Airblader]

No problem, thanks for reporting it anyway!