Mario Palomo
2012-Jan-19 17:21 UTC
[Secure-testing-team] Bug#656494: [xserver-xorg-core] All screen-lockers broken by a keypress (Ctrl+Alt+* (keypad))
Package: xserver-xorg-core Version: 2:1.11.3.901-1 Severity: critical Tags: security X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org It is possible to kill every screensaver/screen locker program (gnome-screensaver, kscreenlocker, slock, slimlock...) on the latest version of Xorg (1.11) using the Ctrl+Alt+Multiply key binding. It didn''t work for multiply from shift+plus (Spanish keyboard layout) but the keypad''s plus (involving Num lock) did bypass the password dialog. I have tested it with kscreenlocker. This behavior seems to have been introduced in a recent commit in Xorg upstream: http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1 (source: http://seclists.org/oss-sec/2012/q1/191) --- System information. --- Architecture: i386 Kernel: Linux 3.1.0-1-686-pae Debian Release: wheezy/sid 500 unstable www.debian-multimedia.org 500 unstable http.us.debian.org 500 stable security.debian.org --- Package information. --- Depends (Version) | Installed ==============================================-+-===================xserver-common (>= 2:1.11.3.901-1) | 2:1.11.3.901-1 keyboard-configuration | 1.75 udev (>= 149) | 175-3 libaudit0 (>= 1.7.13) | 1.7.18-1 libc6 (>= 2.8) | 2.13-24 libdrm2 (>= 2.3.1) | 2.4.30-1 libgcrypt11 (>= 1.4.5) | 1.5.0-3 libpciaccess0 (>= 0.10.7) | 0.12.902-1 libpixman-1-0 (>= 0.21.6) | 0.24.0-1 libselinux1 (>= 2.0.82) | 2.1.0-4 libudev0 (>= 146) | 175-3 libxau6 | 1:1.0.6-4 libxdmcp6 | 1:1.1.0-4 libxfont1 (>= 1:1.4.2) | 1:1.4.4-1 Recommends (Version) | Installed =================================-+-=============libgl1-mesa-dri (>= 7.10.2-4) | 7.11.2-1 Suggests (Version) | Installed ==============================-+-==========xfonts-100dpi | 1:1.0.3 OR xfonts-75dpi | 1:1.0.3 xfonts-scalable | 1:1.0.3-1