[PATCH SECURITY] XKB: Workaround for CVE-2012-0064: Stop calling UngrabAllDevices().
daniel at fooishbar.org
Thu Jan 19 03:25:52 PST 2012
I guess we can decloak this since it's on Phoronix ...
On 19 January 2012 21:20, Cyril Brulebois <kibi at debian.org> wrote:
> The introduction of XKB debugging functions in the following commit:
> | XKB: Add debug key actions for grabs & window tree
> leads to the ability of bypassing X screen locking programs with key
> combinations like: Ctrl+Alt+KP_Multiply (Multiply key on the numpad).
Yeah. There must've been a miscommunication between Sergey and I,
because the actions were never meant to be enabled by default.
> As a quick workaround, stop calling UngrabAllDevices().
> On a side note, it doesn't seem to care much about its kill_client
> parameter, which is only used to decide which message should be
> This is a candidate for the 1.11 branch.
This is the patch I've sent, which I think at least Red Hat are
probably going to run with. It does mean a malicious client could
alter the keymap and thus leave your screensaver vulnerable in the
future, but a malicious client could also just kill the screensaver,
or impersonate it, or, or, or ...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2492 bytes
Desc: not available
More information about the xorg-devel