[PATCH SECURITY] XKB: Workaround for CVE-2012-0064: Stop calling UngrabAllDevices().

Daniel Stone daniel at fooishbar.org
Thu Jan 19 03:25:52 PST 2012

I guess we can decloak this since it's on Phoronix ...

On 19 January 2012 21:20, Cyril Brulebois <kibi at debian.org> wrote:
> The introduction of XKB debugging functions in the following commit:
> |     XKB: Add debug key actions for grabs & window tree
> leads to the ability of bypassing X screen locking programs with key
> combinations like: Ctrl+Alt+KP_Multiply (Multiply key on the numpad).

Yeah.  There must've been a miscommunication between Sergey and I,
because the actions were never meant to be enabled by default.

> As a quick workaround, stop calling UngrabAllDevices().
> On a side note, it doesn't seem to care much about its kill_client
> parameter, which is only used to decide which message should be
> ErrorF()'d.
> This is a candidate for the 1.11 branch.

This is the patch I've sent, which I think at least Red Hat are
probably going to run with.  It does mean a malicious client could
alter the keymap and thus leave your screensaver vulnerable in the
future, but a malicious client could also just kill the screensaver,
or impersonate it, or, or, or ...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Hide-ClearGrab-CloseGrabs-actions-behind-an-option.patch
Type: text/x-patch
Size: 2492 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20120119/bcfd3bb3/attachment.bin>

More information about the xorg-devel mailing list