Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jan 2012 00:49:25 -0500
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Screen locking programs on Xorg 1.11

On Wed, Jan 18, 2012 at 8:53 PM, Michael Gilbert wrote:
> On Wed, Jan 18, 2012 at 7:03 PM, Gu1 wrote:
>> Hi,
>> I recently found out that it is possible to kill a screensaver/screen
>> locker program on the latest version of Xorg (1.11 shipped with
>> archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.
>>
>> This behavior seems to have been introduced in a recent commit[1] and i
>> couldn't find a way to disable it.
>>
>> All screen locking programs i tested (gnome-screensaver, kscreenlocker,
>> slock, slimlock...), are basically rendered useless.
>>
>> Not sure if this is a bug or a feature... :)
>
> All I can say is wow.  A key combo/code that reproducibly kills all
> screen lockers is definitely *not* a feature.  This demonstrates the
> importance of code review in critical code.  Nice find.

As a temporary solution, I've found that commenting lines 44-49 in
/usr/share/X11/xkb/compat/xfree86 (actual location may vary for your
distro; mine is a debian system), which are

    interpret XF86_Ungrab {
        action = Private(type=0x86, data="Ungrab");
    };
    interpret XF86_ClearGrab {
        action = Private(type=0x86, data="ClsGrb");
    };

and running "setxkbmap $(setxkbmap -query | grep layout | awk '{print
$2}')" solves the problem.

Best wishes,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ