oss-sec mailing list archives



Re: Screen locking programs on Xorg 1.11

On 01/19/2012 01:03 AM, Gu1 wrote:

Hi, I recently found out that it is possible to kill a screensaver/screen locker program on the latest version of Xorg (1.11 shipped with archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.

I was able to reproduce it with Xorg 1.11.3 on Gentoo. It didn't work for multiply from shift+plus (German keyboard layout) but the keypad's plus (involving Num lock) did bypass the password dialog. Scary!

This behavior seems to have been introduced in a recent commit[1] and i couldn't find a way to disable it. All screen locking programs i tested (gnome-screensaver, kscreenlocker, slock, slimlock...), are basically rendered useless.

Thanks for not keeping this to yourself. I'm really glad to know.

I found the commit on branch master, see here: http://cgit.freedesktop.org/xorg/xserver/log/?ofs=650 The first tag coming later in time seems to be xorg-server-1.10.99.902 on page before: http://cgit.freedesktop.org/xorg/xserver/log/?ofs=600 I looked for function PrintDeviceGrabInfo introduced by the commit you pointed to: # grep -Rl '^PrintDeviceGrabInfo' \ xorg-server-1.10.3.901 \ xorg-server-1.10.99.902 \ xorg-server-1.11.3 xorg-server-1.10.99.902/dix/grabs.c xorg-server-1.11.3/dix/grabs.c So from a superficial analysis anything since 1.10.99.902 could be vulnerable. Best, Sebastian

By Date By Thread

Current thread: