Joined: 12 May 2004
|Posted: Fri Jan 27, 2012 10:26 pm Post subject: [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration D
|Gentoo Linux Security Advisory
Title: X.Org X Server/X Keyboard Configuration Database: Screen lock bypass (GLSA 201201-16)
Date: January 27, 2012
A debugging functionality in the X.Org X Server that is bound to a
hotkey by default can be used by local attackers to circumvent screen
The X Keyboard Configuration Database provides keyboard configuration
for various X server implementations.
Vulnerable: < 2.4.1-r3
Unaffected: >= 2.4.1-r3
Architectures: amd64 arm hppa x86
Starting with the =x11-base/xorg-server-1.11 package, the X.Org X Server
again provides debugging functionality that can be used terminate an
application that exclusively grabs mouse and keyboard input, like screen
Gu1 reported that the X Keyboard Configuration Database maps this
functionality by default to the Ctrl+Alt+Numpad * key combination.
A physically proximate attacker could exploit this vulnerability to gain
access to a locked X session without providing the correct credentials.
Downgrade to any version of x11-base/xorg-server below
|# emerge --oneshot --verbose "<x11-base/xorg-server-1.11"
All xkeyboard-config users should upgrade to the latest version:
NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
|# emerge --sync
# emerge --ask --oneshot --verbose
and x86 architectures. Users of the stable branches of all other
architectures are not affected and will be directly provided with a fixed
X Keyboard Configuration Database version.