[arch-general] FS#28008 - Bypass screensaver/locker program on xorg 1.11 and up
David J. Haines
dhaines at gmail.com
Fri Jan 20 10:40:25 EST 2012
On Fri, Jan 20, 2012 at 7:53 AM, David J. Haines <dhaines at gmail.com> wrote:
> On Jan 20, 2012 2:10 AM, "Florian Pritz" <bluewind at xinu.at> wrote:
>>
>> On 20.01.2012 02:18, David J. Haines wrote:
>> > On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes
>> > <tavianator at tavianator.com> wrote:
>> >> On 19 January 2012 18:23, Dmitry Korzhevin <dkorzhevin at lsupport.net>
>> >> wrote:
>> >>> a funny bug in the Xorg server that could allow attackers with
>> >>> physical
>> >>> access to a machine to bypass the screensaver/screen locker program.
>> >>> Most people use those programs to lock their computer when they are
>> >>> away. On Gnome, gnome-screensaver is responsible for this. On KDE,
>> >>> kscreenlocker is. There is a wide variety of smaller tools doing the
>> >>> same thing, e.g. slock, slimlock, i3lock...
>> >>>
>> >>> Read more:
>> >>>
>> >>> http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up
>> >>>
>> >>> ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
>> >>
>> >> IMO, it's not an X.Org or configuration bug, it's a bug in all the
>> >> screen lockers.
>> >>
>> >> http://seclists.org/oss-sec/2012/q1/217
>> >>
>> >> --
>> >> Tavian Barnes
>> >
>> > No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a
>> > custom keyboard layout that allows me to type international letters
>> > and switch entirely to a phonetic Cyrillic layout.
>>
>> Please check if your custom layout contains the string "XF86_ClearGrab"
>> (maybe also without the underscore) and if yes, replace it with
>> "NoSymbol". Don't forget to reload it afterwards.
>>
>> --
>> Florian Pritz
>>
>
> I will be sure to do that, but that does seem only to address the symptom
> and not the underlying sickness. As I intimated earlier, this is most likely
> an issue for the app (or more precisely screen locking app) writers.
>
> Thanks for what looks to be a great intirim solution!
FYI, this interim solution does work. I'll make sure that xscreensaver
upstream knows about this issue.
David J. Haines
dhaines at gmail.com
More information about the arch-general
mailing list