Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399347 (CVE-2012-0064) - >=x11-base/xorg-server-1.10.99.902 <x11-misc/xkeyboard-config-2.4.1-r3 : screen lock bypass via XKB debug hotkeys (CVE-2012-0064)
Summary: >=x11-base/xorg-server-1.10.99.902 <x11-misc/xkeyboard-config-2.4.1-r3 : scre...
Status: RESOLVED FIXED
Alias: CVE-2012-0064
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: A3 [glsa]
Keywords:
: 399351 399383 399453 399485 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-01-19 07:45 UTC by Sebastian Pipping
Modified: 2012-01-27 21:59 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2012-01-19 07:45:09 UTC
The password query (of gnome-screensaver and others) can be bypassed pressing <Ctrl>+<Alt>+<Keypad_Plus>.  More details here:

  Screen locking programs on Xorg 1.11
  http://thread.gmane.org/gmane.comp.security.oss.general/6725

So scary to me that I chose to let you decide, when the public should see this...
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-19 08:54:20 UTC
*** Bug 399351 has been marked as a duplicate of this bug. ***
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-19 08:59:47 UTC
The issue is public, thus I'm unrestricting the bug.

Commit introducing the issue:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-19 09:06:37 UTC
This also works against xtrlock (debian) and slock (gentoo).
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-19 09:24:12 UTC
There is a pretty simple patch in the thread, that works for me:

"As a temporary solution, I've found that commenting lines 44-49 in
/usr/share/X11/xkb/compat/xfree86 (actual location may vary for your
distro; mine is a debian system), which are

    interpret XF86_Ungrab {
        action = Private(type=0x86, data="Ungrab");
    };
    interpret XF86_ClearGrab {
        action = Private(type=0x86, data="ClsGrb");
    };
"

Could we implement it, too?
Comment 5 pi 2012-01-19 09:43:02 UTC
From xorg documentation this looks like it was once an intended feature that can be switched with config options but I don't see it in actuall man pages:

http://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html

Option "AllowClosedownGrabs" "boolean"
    This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off.
    Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.
Comment 6 Alexander Tsoy 2012-01-19 10:09:20 UTC
(In reply to comment #5)
> From xorg documentation this looks like it was once an intended feature that
> can be switched with config options but I don't see it in actuall man pages:
> 
> http://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html
> 
> Option "AllowClosedownGrabs" "boolean"
>     This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to
> kill clients with an active keyboard or mouse grab as well as killing any
> application that may have locked the server, normally using the XGrabServer(3x)
> Xlib function. Default: off.
>     Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will
> allow users to remove the grab used by screen saver/locker programs. An API was
> written to such cases. If you enable this option, make sure your screen
> saver/locker is updated.

http://cgit.freedesktop.org/xorg/xserver/commit/?id=5e43cd28692bc05cac80f38b47104a26c0524385
http://cgit.freedesktop.org/xorg/xserver/commit/?id=8c560422b44e012053612754430d2b87dc44ed59
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-19 13:16:15 UTC
*** Bug 399383 has been marked as a duplicate of this bug. ***
Comment 8 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-01-19 13:43:53 UTC
Upstream patch: http://lists.x.org/archives/xorg-devel/2012-January/028693.html
Comment 9 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-01-19 14:27:09 UTC
Patch applied in x11-misc/xkeyboard-config-2.4.1-r3
On my system it fixes the problem.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-19 16:00:51 UTC
(In reply to comment #9)
> Patch applied in x11-misc/xkeyboard-config-2.4.1-r3
> On my system it fixes the problem.

Excellent, do we push it to stable? If so please add STABLEREQ and CC arches.
Comment 11 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-01-19 17:26:20 UTC
Arches, please stabilize x11-misc/xkeyboard-config-2.4.1-r3

Target keywords: amd64 arm hppa x86

For other arches, the stable tree is not affected by this vulnerability. Bug 394393 has been updated so only non-vulnerable versions will go stable.
Comment 12 Agostino Sarubbo gentoo-dev 2012-01-19 17:42:38 UTC
amd64 stable
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-19 17:58:49 UTC
x86 stable
Comment 14 Michael Weber (RETIRED) gentoo-dev 2012-01-19 21:39:10 UTC
arm stable
Comment 15 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-01-20 02:28:07 UTC
*** Bug 399453 has been marked as a duplicate of this bug. ***
Comment 16 Rafał Mużyło 2012-01-20 10:07:10 UTC
*** Bug 399485 has been marked as a duplicate of this bug. ***
Comment 17 Jeroen Roovers gentoo-dev 2012-01-24 12:53:08 UTC
Stable for HPPA.
Comment 18 Agostino Sarubbo gentoo-dev 2012-01-24 13:01:10 UTC
All arches done, filing new glsa request
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-01-27 21:59:54 UTC
This issue was resolved and addressed in
 GLSA 201201-16 at http://security.gentoo.org/glsa/glsa-201201-16.xml
by GLSA coordinator Alex Legler (a3li).