The password query (of gnome-screensaver and others) can be bypassed pressing <Ctrl>+<Alt>+<Keypad_Plus>. More details here: Screen locking programs on Xorg 1.11 http://thread.gmane.org/gmane.comp.security.oss.general/6725 So scary to me that I chose to let you decide, when the public should see this...
*** Bug 399351 has been marked as a duplicate of this bug. ***
The issue is public, thus I'm unrestricting the bug. Commit introducing the issue: http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1
This also works against xtrlock (debian) and slock (gentoo).
There is a pretty simple patch in the thread, that works for me: "As a temporary solution, I've found that commenting lines 44-49 in /usr/share/X11/xkb/compat/xfree86 (actual location may vary for your distro; mine is a debian system), which are interpret XF86_Ungrab { action = Private(type=0x86, data="Ungrab"); }; interpret XF86_ClearGrab { action = Private(type=0x86, data="ClsGrb"); }; " Could we implement it, too?
From xorg documentation this looks like it was once an intended feature that can be switched with config options but I don't see it in actuall man pages: http://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html Option "AllowClosedownGrabs" "boolean" This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off. Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.
(In reply to comment #5) > From xorg documentation this looks like it was once an intended feature that > can be switched with config options but I don't see it in actuall man pages: > > http://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html > > Option "AllowClosedownGrabs" "boolean" > This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to > kill clients with an active keyboard or mouse grab as well as killing any > application that may have locked the server, normally using the XGrabServer(3x) > Xlib function. Default: off. > Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will > allow users to remove the grab used by screen saver/locker programs. An API was > written to such cases. If you enable this option, make sure your screen > saver/locker is updated. http://cgit.freedesktop.org/xorg/xserver/commit/?id=5e43cd28692bc05cac80f38b47104a26c0524385 http://cgit.freedesktop.org/xorg/xserver/commit/?id=8c560422b44e012053612754430d2b87dc44ed59
*** Bug 399383 has been marked as a duplicate of this bug. ***
Upstream patch: http://lists.x.org/archives/xorg-devel/2012-January/028693.html
Patch applied in x11-misc/xkeyboard-config-2.4.1-r3 On my system it fixes the problem.
(In reply to comment #9) > Patch applied in x11-misc/xkeyboard-config-2.4.1-r3 > On my system it fixes the problem. Excellent, do we push it to stable? If so please add STABLEREQ and CC arches.
Arches, please stabilize x11-misc/xkeyboard-config-2.4.1-r3 Target keywords: amd64 arm hppa x86 For other arches, the stable tree is not affected by this vulnerability. Bug 394393 has been updated so only non-vulnerable versions will go stable.
amd64 stable
x86 stable
arm stable
*** Bug 399453 has been marked as a duplicate of this bug. ***
*** Bug 399485 has been marked as a duplicate of this bug. ***
Stable for HPPA.
All arches done, filing new glsa request
This issue was resolved and addressed in GLSA 201201-16 at http://security.gentoo.org/glsa/glsa-201201-16.xml by GLSA coordinator Alex Legler (a3li).