Your message dated Sat, 14 Mar 2020 19:17:10 +0000
with message-id <[email protected]>
and subject line Bug#830726: fixed in xtrlock 2.8+deb10u1
has caused the Debian Bug report #830726,
regarding xtrlock: CVE-2016-10894: xtrlock does not block multitouch events
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
830726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830726
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xtrlock
Version: 2.8
Severity: normal
Tags: upstream
Dear Maintainer,
xtrlock appears not to block multitouch events when the session is locked, so
that any user stumbling upon a locked session can still input multitouch events.
One could imagine that this could constitute a security vulnerability (requiring
physical access to the machine).
Steps to reproduce (on a computer with a suitably configured touchscreen):
1. Open chromium (my example of a program that processes multitouch events) and
put it in fullscreen mode.
2. Check that you can pinch and zoom (put two fingers of the screen and move
them closer or further apart to change the zoom level).
3. Run xtrlock to lock the session.
4. With xtrlock running, put one finger on the screen and leave it there (the
mouse pointer with the xtrlock lock icon follows that finger). While doing this,
perform the pinch and zoom with two other fingers.
Observed result:
The pinch and zoom is taken into account by chromium even though the session is
locked.
Expected result:
The event should not be seen by chromium while the session is locked.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xtrlock depends on:
ii libc6 2.22-13
ii libx11-6 2:1.6.3-1
xtrlock recommends no packages.
xtrlock suggests no packages.
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: xtrlock
Source-Version: 2.8+deb10u1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xtrlock, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated xtrlock package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 16 Jan 2020 16:00:52 +0000
Source: xtrlock
Architecture: source
Version: 2.8+deb10u1
Distribution: buster
Urgency: high
Maintainer: Matthew Vernon <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 830726
Changes:
xtrlock (2.8+deb10u1) buster; urgency=high
.
* CVE-2016-10894: Attempt to grab multitouch devices which are not
intercepted via XGrabPointer.
.
xtrlock did not block multitouch events so an attacker could still input
and thus control various programs such as Chromium, etc. via so-called
"multitouch" events such as pan scrolling, "pinch and zoom", or even being
able to provide regular mouse clicks by depressing the touchpad once and
then clicking with a secondary finger.
.
This fix does not the situation where Eve plugs in a multitouch device
*after* the screen has been locked. For more information on this angle,
please see <https://bugs.debian.org/830726#115>. (Closes: #830726)
Checksums-Sha1:
f950ec30c91399896229718af98d97887e404aca 1461 xtrlock_2.8+deb10u1.dsc
a83b0156c4d792af244aea0ae9ff89a735c5f247 21907 xtrlock_2.8+deb10u1.tar.gz
5a0fed0546a8189a3f9f2c1cb382f0cc3de7a19a 5076
xtrlock_2.8+deb10u1_amd64.buildinfo
Checksums-Sha256:
afcd1196e84993cf13bd82c06c946010f6bb80169a69922bb121b2720cfc8aff 1461
xtrlock_2.8+deb10u1.dsc
0aa7025c298d9590ac39270c159d460d327fcab0c71045f257905221e8b2f535 21907
xtrlock_2.8+deb10u1.tar.gz
b471cd73c2e9bbd2bc868fdc2a52bf8782ab3b98d679012c550cb320de2878d2 5076
xtrlock_2.8+deb10u1_amd64.buildinfo
Files:
3274cf204947ca02b47dc102d4455154 1461 x11 optional xtrlock_2.8+deb10u1.dsc
4516ca210599526c63d382367d53a93b 21907 x11 optional xtrlock_2.8+deb10u1.tar.gz
b6f9d6e2d975cf1b15fa4759e2e57890 5076 x11 optional
xtrlock_2.8+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5hVAsACgkQHpU+J9Qx
HlgI1hAAg5LlkKCvwuWw327rtSvhSzW82odVi2OfK90PvzP2v1D6/yGTYGz0VXaf
0X1u83UcP31MX4sib8FnoxjFkI4jtSzEouyDF7MXxsYWCFLlqp2VbcLbjYtDEI12
lz+MpYah5Itle7dI+rHjKAvJlttC2B5DtPrf8PlLP31ePv5UabOWU+m/uJX/ua9j
mw3jbX+ZPdG9UwCUW9sIWP4+SqdWnbBCWHxbDutrgjrZlNSVSY8dDkPTlvYfp7wq
TxbtTnAWGtadI8fdbmeeShpKux7Nsh6ucQHgw+/JT8msrDiItUA2L/Rr3dVK3H1y
W6t9moyxhMgGqdatrkeg66/hXBvFDbJoPEwj9swi9Tnb1IHtTzYjBRZK/Hxs+Gnn
HjSOePfZjSjSPR7hl/LkP/53Kq0yg1VlcN5DejgrfYGODZnaYVamcyrJxo2YPLn0
STQTYKCiL6hXJWQolbkuFoOWk/btqJDouyohluIWCMpSe4jW3/Y4Mq6oL4VE+GhB
SJySq4+0+pbc5u3wQbBh4fXr2SVUshvtq1jk97yuHGorsl6SPCq6Vp3/EGF8RERM
7gjarms7Ko8jIbms7xu8lg8S4RSzdzPBI8fZazQ6GDe6+bT1vnY7WB5Doau4SMT+
yw5X+txBETQjtHOkbJLRSIHA4spSawXOJzQa8+hsTvfaIS9eg/s=
=mcjU
-----END PGP SIGNATURE-----
--- End Message ---
