[arch-general] FS#28008 - Bypass screensaver/locker program on xorg 1.11 and up
Sébastien le Preste de Vauban
ulpianosonsi at gmail.com
Fri Jan 20 13:49:56 EST 2012
El 20/01/12 15:07, Florian Pritz escribió:
> On 20.01.2012 18:38, Sébastien le Preste de Vauban wrote:
>> El 20/01/12 04:10, Florian Pritz escribió:
>>> On 20.01.2012 02:18, David J. Haines wrote:
>>>> On Thu, Jan 19, 2012 at 8:08 PM, Tavian Barnes
>>>> <tavianator at tavianator.com> wrote:
>>>>> On 19 January 2012 18:23, Dmitry Korzhevin<dkorzhevin at lsupport.net> wrote:
>>>>>> a funny bug in the Xorg server that could allow attackers with physical
>>>>>> access to a machine to bypass the screensaver/screen locker program.
>>>>>> Most people use those programs to lock their computer when they are
>>>>>> away. On Gnome, gnome-screensaver is responsible for this. On KDE,
>>>>>> kscreenlocker is. There is a wide variety of smaller tools doing the
>>>>>> same thing, e.g. slock, slimlock, i3lock...
>>>>>>
>>>>>> Read more:
>>>>>> http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up
>>>>>>
>>>>>> ctrl+atl+*(on num lock keyboard) confirmed and work in arch linux.
>>>>> IMO, it's not an X.Org or configuration bug, it's a bug in all the
>>>>> screen lockers.
>>>>>
>>>>> http://seclists.org/oss-sec/2012/q1/217
>>>>>
>>>>> --
>>>>> Tavian Barnes
>>>> No Happy Hacking Keyboard (1996 IBM Model M, baby!), but I do use a
>>>> custom keyboard layout that allows me to type international letters
>>>> and switch entirely to a phonetic Cyrillic layout.
>>> Please check if your custom layout contains the string "XF86_ClearGrab"
>>> (maybe also without the underscore) and if yes, replace it with
>>> "NoSymbol". Don't forget to reload it afterwards.
>>>
>> I did that and it solved the problem with the ctrl+atl+* key combo, but
>> I realized that ctrl+atl+/ does the same thing =(
>> I attach my custom xkbcomp file.
> The 4 debug symbols are: XF86LogGrabInfo, XF86Ungrab, XF86ClearGrab,
> XF86LogWindowTree
>
> Ungrab and ClearGrab can break things, while Log* are pretty harmless.
>
Thanks, removing all references to Ungrab and ClearGrab solved the problem.
More information about the arch-general
mailing list