Package: xserver-xorg-core Version: 2:1.11.3.901-1 Severity: critical Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
It is possible to kill every screensaver/screen locker program (gnome-screensaver, kscreenlocker, slock, slimlock...) on the latest version of Xorg (1.11) using the Ctrl+Alt+Multiply key binding. It didn't work for multiply from shift+plus (Spanish keyboard layout) but the keypad's plus (involving Num lock) did bypass the password dialog. I have tested it with kscreenlocker. This behavior seems to have been introduced in a recent commit in Xorg upstream: http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1 (source: http://seclists.org/oss-sec/2012/q1/191) --- System information. --- Architecture: i386 Kernel: Linux 3.1.0-1-686-pae Debian Release: wheezy/sid 500 unstable www.debian-multimedia.org 500 unstable http.us.debian.org 500 stable security.debian.org --- Package information. --- Depends (Version) | Installed ==============================================-+-==================== xserver-common (>= 2:1.11.3.901-1) | 2:1.11.3.901-1 keyboard-configuration | 1.75 udev (>= 149) | 175-3 libaudit0 (>= 1.7.13) | 1.7.18-1 libc6 (>= 2.8) | 2.13-24 libdrm2 (>= 2.3.1) | 2.4.30-1 libgcrypt11 (>= 1.4.5) | 1.5.0-3 libpciaccess0 (>= 0.10.7) | 0.12.902-1 libpixman-1-0 (>= 0.21.6) | 0.24.0-1 libselinux1 (>= 2.0.82) | 2.1.0-4 libudev0 (>= 146) | 175-3 libxau6 | 1:1.0.6-4 libxdmcp6 | 1:1.1.0-4 libxfont1 (>= 1:1.4.2) | 1:1.4.4-1 Recommends (Version) | Installed =================================-+-============== libgl1-mesa-dri (>= 7.10.2-4) | 7.11.2-1 Suggests (Version) | Installed ==============================-+-=========== xfonts-100dpi | 1:1.0.3 OR xfonts-75dpi | 1:1.0.3 xfonts-scalable | 1:1.0.3-1 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
