Xserver support has been gone for 10+ years. This package should be removed. Fortunately there are only a few reverse dependencies.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34d6bc41a9e5fb8417b3a63f9391057717406a23 commit 34d6bc41a9e5fb8417b3a63f9391057717406a23 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2020-05-08 05:32:50 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2020-05-08 05:32:50 +0000 profile: Mask x11-libs/libXxf86misc for removal Bug: https://bugs.gentoo.org/720150 Signed-off-by: Matt Turner <mattst88@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
Given this change and the subsequent patch added in =x11-misc/xscreensaver-5.43-r3, am I right in thinking that this would re-allow an attack like https://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-2012-0064.html for users running xscreensaver? I mean, I know that general security wisdom is that if anyone has physical access to your box then you've lost anyway, but if there an alternative screensaver that would stop these keys, or is it not worth trying to defend against?
(In reply to Sophie Hamilton from comment #2) > Given this change and the subsequent patch added in > =x11-misc/xscreensaver-5.43-r3, am I right in thinking that this would > re-allow an attack like > https://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-2012-0064.html for > users running xscreensaver? > > I mean, I know that general security wisdom is that if anyone has physical > access to your box then you've lost anyway, but if there an alternative > screensaver that would stop these keys, or is it not worth trying to defend > against? Support for the XF86MISC extension was removed from the Xserver in version 1.6.0, released February 2009. The libXxf86misc library is the client-side library for talking that protocol. Without server-side support, the client-side library cannot be useful. I don't know the specifics of that bug, but I don't think it's possible that removing a client-side library without server-side support could do anything, much less reintroduce a security vulnerability. FWIW, I just looked through the patches Fedora has for xscreensaver (since they stopped building xscreensaver against libXxf86misc in F31) to see if they had anything that looked security-related. I didn't see anything but regular old bug fixes (https://src.fedoraproject.org/rpms/xscreensaver/tree/master).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba5e02f695749d59f23840ce6602cdc52ec7c720 commit ba5e02f695749d59f23840ce6602cdc52ec7c720 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2020-06-08 17:28:10 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2020-06-08 17:28:58 +0000 x11-libs/libXxf86misc: Remove Closes: https://bugs.gentoo.org/720150 Signed-off-by: Matt Turner <mattst88@gentoo.org> profiles/package.mask | 5 ----- x11-libs/libXxf86misc/Manifest | 1 - x11-libs/libXxf86misc/libXxf86misc-1.0.4.ebuild | 15 --------------- x11-libs/libXxf86misc/metadata.xml | 8 -------- 4 files changed, 29 deletions(-)
