|
oss-sec
mailing list archives
Re: Screen locking programs on Xorg 1.11
From: Sebastian Pipping <sebastian () pipping org>
Date: Thu, 19 Jan 2012 08:45:51 +0100
On 01/19/2012 01:03 AM, Gu1 wrote:
Hi,
I recently found out that it is possible to kill a screensaver/screen
locker program on the latest version of Xorg (1.11 shipped with
archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.
I was able to reproduce it with Xorg 1.11.3 on Gentoo.
It didn't work for multiply from shift+plus (German keyboard layout) but
the keypad's plus (involving Num lock) did bypass the password dialog.
Scary!
This behavior seems to have been introduced in a recent commit[1] and i
couldn't find a way to disable it.
All screen locking programs i tested (gnome-screensaver, kscreenlocker,
slock, slimlock...), are basically rendered useless.
Thanks for not keeping this to yourself. I'm really glad to know.
[1]:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1
I found the commit on branch master, see here:
http://cgit.freedesktop.org/xorg/xserver/log/?ofs=650
The first tag coming later in time seems to be xorg-server-1.10.99.902
on page before:
http://cgit.freedesktop.org/xorg/xserver/log/?ofs=600
I looked for function PrintDeviceGrabInfo introduced by the commit you
pointed to:
# grep -Rl '^PrintDeviceGrabInfo' \
xorg-server-1.10.3.901 \
xorg-server-1.10.99.902 \
xorg-server-1.11.3
xorg-server-1.10.99.902/dix/grabs.c
xorg-server-1.11.3/dix/grabs.c
So from a superficial analysis anything since 1.10.99.902 could be
vulnerable.
Best,
Sebastian
 By Date 
By Thread
Current thread:
| 
