Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration Database: Screen lock bypass
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Fri Jan 27, 2012 10:26 pm    Post subject: [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration D Reply with quote

Gentoo Linux Security Advisory

Title: X.Org X Server/X Keyboard Configuration Database: Screen lock bypass (GLSA 201201-16)
Severity: normal
Exploitable: local
Date: January 27, 2012
Bug(s): #399347
ID: 201201-16

Synopsis

A debugging functionality in the X.Org X Server that is bound to a
hotkey by default can be used by local attackers to circumvent screen
locking utilities.


Background

The X Keyboard Configuration Database provides keyboard configuration
for various X server implementations.


Affected Packages

Package: x11-misc/xkeyboard-config
Vulnerable: < 2.4.1-r3
Unaffected: >= 2.4.1-r3
Architectures: amd64 arm hppa x86


Description

Starting with the =x11-base/xorg-server-1.11 package, the X.Org X Server
again provides debugging functionality that can be used terminate an
application that exclusively grabs mouse and keyboard input, like screen
locking utilities.
Gu1 reported that the X Keyboard Configuration Database maps this
functionality by default to the Ctrl+Alt+Numpad * key combination.


Impact

A physically proximate attacker could exploit this vulnerability to gain
access to a locked X session without providing the correct credentials.


Workaround

Downgrade to any version of x11-base/xorg-server below
x11-base/xorg-server-1.11:
Code:
# emerge --oneshot --verbose "<x11-base/xorg-server-1.11"
   


Resolution

All xkeyboard-config users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose
      ">=x11-misc/xkeyboard-config-2.4.1-r3"
   
NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
and x86 architectures. Users of the stable branches of all other
architectures are not affected and will be directly provided with a fixed
X Keyboard Configuration Database version.


References

CVE-2012-0064
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum