Re: Screen locking programs on Xorg 1.11

[Sebastian Pipping <sebastian () pipping org>]

On 01/19/2012 01:03 AM, Gu1 wrote:
> Hi,
> I recently found out that it is possible to kill a screensaver/screen
> locker program on the latest version of Xorg (1.11 shipped with
> archlinux, debian wheezy..) using the Ctrl+Alt+Multiply key binding.

I was able to reproduce it with Xorg 1.11.3 on Gentoo.
It didn't work for multiply from shift+plus (German keyboard layout) but
the keypad's plus (involving Num lock) did bypass the password dialog.
Scary!


> This behavior seems to have been introduced in a recent commit[1] and i
> couldn't find a way to disable it.
>
> All screen locking programs i tested (gnome-screensaver, kscreenlocker,
> slock, slimlock...), are basically rendered useless.

Thanks for not keeping this to yourself.  I'm really glad to know.


> [1]:
> http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1

I found the commit on branch master, see here:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=650

The first tag coming later in time seems to be xorg-server-1.10.99.902
on page before:

  http://cgit.freedesktop.org/xorg/xserver/log/?ofs=600

I looked for function PrintDeviceGrabInfo introduced by the commit you
pointed to:

  # grep -Rl '^PrintDeviceGrabInfo' \
        xorg-server-1.10.3.901 \
        xorg-server-1.10.99.902 \
        xorg-server-1.11.3
  xorg-server-1.10.99.902/dix/grabs.c
  xorg-server-1.11.3/dix/grabs.c

So from a superficial analysis anything since 1.10.99.902 could be
vulnerable.

Best,



Sebastian