[arch-general] security problem in X with screen saver
Hi All, As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA There is a quite a serious security problem. Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
On Thu, Jan 19, 2012 at 08:58, Divan Santana <divan@s-tainment.co.za> wrote:
Hi All,
As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
There is a quite a serious security problem.
Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
Have you verified that your system? On my system none of the keys mentioned in that article have the reported results; they all jumps out to virtual terminals. I have not made any changes to the stock Arch config that would affect those keys. /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus
2012/1/19 Magnus Therning <magnus@therning.org>:
On Thu, Jan 19, 2012 at 08:58, Divan Santana <divan@s-tainment.co.za> wrote:
Hi All,
As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
There is a quite a serious security problem.
Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
Have you verified that your system?
On my system none of the keys mentioned in that article have the reported results; they all jumps out to virtual terminals. I have not made any changes to the stock Arch config that would affect those keys.
Use the Ctrl + Alt + * from the keypad to trigger the "bug". As explained in the article, this is purely Xorg related. Use vlock for example if you want to avoid the problem. Tim
2012/1/19 Timothée Ravier <timothee.romain.ravier@gmail.com>:
2012/1/19 Magnus Therning <magnus@therning.org>:
On Thu, Jan 19, 2012 at 08:58, Divan Santana <divan@s-tainment.co.za> wrote:
Hi All,
As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
There is a quite a serious security problem.
Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
Have you verified that your system?
On my system none of the keys mentioned in that article have the reported results; they all jumps out to virtual terminals. I have not made any changes to the stock Arch config that would affect those keys.
Use the Ctrl + Alt + * from the keypad to trigger the "bug".
As explained in the article, this is purely Xorg related. Use vlock for example if you want to avoid the problem.
Yes indeed, that works. What the hell was that other article doing mentioning all those Fn-keys then? /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@therning.org jabber: magnus@therning.org twitter: magthe http://therning.org/magnus
On 01/19/12 at 09:57am, Magnus Therning wrote:
Yes indeed, that works. What the hell was that other article doing mentioning all those Fn-keys then?
-- Magnus Therning OpenPGP: 0xAB4DFBA4
Just confirming that it works. I hope arch adds the patch to the repos soon. -- Madhurya Kakati () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
On 01/19/2012 09:45 AM, Timothée Ravier wrote:
2012/1/19 Magnus Therning <magnus@therning.org>:
On Thu, Jan 19, 2012 at 08:58, Divan Santana <divan@s-tainment.co.za> wrote:
Hi All,
As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
There is a quite a serious security problem.
Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
Have you verified that your system?
On my system none of the keys mentioned in that article have the reported results; they all jumps out to virtual terminals. I have not made any changes to the stock Arch config that would affect those keys.
Use the Ctrl + Alt + * from the keypad to trigger the "bug".
As explained in the article, this is purely Xorg related. Use vlock for example if you want to avoid the problem.
This has been fixed in xkeyboard-config 2.4.1-3 in testing. You have to reset your xkb map or restart X after updating. The feature is still enabled in xorg-server so if anyone wants to use it, just create the necessary key mappings. -- Florian Pritz -- {flo,bluewind}@server-speed.net
Florian Pritz <bluewind@xinu.at> on Thu, 19 Jan 2012 11:44:18 +0100:
On 01/19/2012 09:45 AM, Timothée Ravier wrote:
2012/1/19 Magnus Therning <magnus@therning.org>:
On Thu, Jan 19, 2012 at 08:58, Divan Santana <divan@s-tainment.co.za> wrote:
Hi All,
As per http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
There is a quite a serious security problem.
Is there a patch coming out soon? Does anyone yet know a workaround to this in the meanwhile? Can it be announced?
Have you verified that your system?
On my system none of the keys mentioned in that article have the reported results; they all jumps out to virtual terminals. I have not made any changes to the stock Arch config that would affect those keys.
Use the Ctrl + Alt + * from the keypad to trigger the "bug".
As explained in the article, this is purely Xorg related. Use vlock for example if you want to avoid the problem.
This has been fixed in 2.4.1-3 in testing. You have to reset your xkb map or restart X after updating.
The feature is still enabled in xorg-server so if anyone wants to use it, just create the necessary key mappings.
This fixes the problem for me. Everything seems to be fine now. I vote for xkeyboard-config to be moved to [extra] asap. Thanks for the fast fix! -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
Hi, a quick fix I developed for my Fedora 16 box: 1. Dump the xkb: $ xkbcomp $DISPLAY xkb.dump 2. Make a backup $ cp xkb.dump xkb.dump_orig 3. Remove all entries related to XF86ClearGrab and XF86Ungrab 4. Apply the XKB entries: $ xkbcomp xkb.dump $DISPLAY In case of any problems restore the original XKB entries: $ xkbcomp xkb.dump_orig $DISPLAY This should be applied after each Xorg start. Better way to fix this would be finding real XKB config file, but didn't manage to find any entries in /etc or /usr. It's probably compiled into libX11.so. Regards -- Maciej Sitarz
participants (7)
-
Christian Hesse
-
Divan Santana
-
Florian Pritz
-
Maciej Sitarz
-
Madhurya Kakati
-
Magnus Therning
-
Timothée Ravier