Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Sebastian Pipping <sebastian-V0xhYuj+IbtAfugRpC6u6w <at> public.gmane.org>
Subject: Re: Screen locking programs on Xorg 1.11
Newsgroups: gmane.comp.security.oss.general
Date: Thursday 19th January 2012 07:45:51 UTC (over 6 years ago)
On 01/19/2012 01:03 AM, Gu1 wrote:
> Hi,
> I recently found out that it is possible to kill a screensaver/screen
> locker program on the latest version of Xorg (1.11 shipped with
> archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.

I was able to reproduce it with Xorg 1.11.3 on Gentoo.
It didn't work for multiply from shift+plus (German keyboard layout) but
the keypad's plus (involving Num lock) did bypass the password dialog.
Scary!


> This behavior seems to have been introduced in a recent commit[1] and i
> couldn't find a way to disable it.
> 
> All screen locking programs i tested (gnome-screensaver, kscreenlocker,
> slock, slimlock...), are basically rendered useless.

Thanks for not keeping this to yourself.  I'm really glad to know.


> [1]:
> http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1

I found the commit on branch master, see here:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=650

The first tag coming later in time seems to be xorg-server-1.10.99.902
on page before:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=600

I looked for function PrintDeviceGrabInfo introduced by the commit you
pointed to:

  # grep -Rl '^PrintDeviceGrabInfo' \
        xorg-server-1.10.3.901 \
        xorg-server-1.10.99.902 \
        xorg-server-1.11.3
  xorg-server-1.10.99.902/dix/grabs.c
  xorg-server-1.11.3/dix/grabs.c

So from a superficial analysis anything since 1.10.99.902 could be
vulnerable.

Best,



Sebastian
 
CD: 14ms