Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707966 (CVE-2016-10894) - <x11-misc/xtrlock-2.12: screen lock input bypass through multitouch events
Summary: <x11-misc/xtrlock-2.12: screen lock input bypass through multitouch events
Status: RESOLVED FIXED
Alias: CVE-2016-10894
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://security-tracker.debian.org/t...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-02 20:23 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-03-25 19:13 UTC (History)
1 user (show)

See Also:
Package list:
=x11-misc/xtrlock-2.12
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-02-02 20:23:47 UTC
"xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger)."
Comment 1 Larry the Git Cow gentoo-dev 2020-02-02 20:24:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f5ab1a1689f38303308034fba0c1870b0ba1281

commit 1f5ab1a1689f38303308034fba0c1870b0ba1281
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-02 20:24:13 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-02 20:24:30 +0000

    x11-misc/xtrlock: Version 2.12
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/707966
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 x11-misc/xtrlock/Manifest            |  1 +
 x11-misc/xtrlock/xtrlock-2.12.ebuild | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-03 12:30:46 UTC
ppc stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-03 12:38:53 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-03 15:24:54 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2020-02-03 16:21:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ef92095a9f759add1f7cf823001b8cbd00c26b3

commit 0ef92095a9f759add1f7cf823001b8cbd00c26b3
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-03 16:20:40 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-03 16:21:06 +0000

    x11-misc/xtrlock: Old
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=707966
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 x11-misc/xtrlock/Manifest           |  1 -
 x11-misc/xtrlock/xtrlock-2.8.ebuild | 35 -----------------------------------
 2 files changed, 36 deletions(-)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 17:56:34 UTC
Tree is now clean.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 19:13:37 UTC
GLSA Vote: No

Repository is clean, all done!