Your message dated Fri, 11 Oct 2019 19:52:58 +0000 with message-id <e1ij0ya-000fxj...@fasolo.debian.org> and subject line Bug#830726: fixed in xtrlock 2.12 has caused the Debian Bug report #830726, regarding xtrlock: CVE-2016-10894: xtrlock does not block multitouch events to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 830726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830726 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xtrlock Version: 2.8 Severity: normal Tags: upstream Dear Maintainer, xtrlock appears not to block multitouch events when the session is locked, so that any user stumbling upon a locked session can still input multitouch events. One could imagine that this could constitute a security vulnerability (requiring physical access to the machine). Steps to reproduce (on a computer with a suitably configured touchscreen): 1. Open chromium (my example of a program that processes multitouch events) and put it in fullscreen mode. 2. Check that you can pinch and zoom (put two fingers of the screen and move them closer or further apart to change the zoom level). 3. Run xtrlock to lock the session. 4. With xtrlock running, put one finger on the screen and leave it there (the mouse pointer with the xtrlock lock icon follows that finger). While doing this, perform the pinch and zoom with two other fingers. Observed result: The pinch and zoom is taken into account by chromium even though the session is locked. Expected result: The event should not be seen by chromium while the session is locked. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xtrlock depends on: ii libc6 2.22-13 ii libx11-6 2:1.6.3-1 xtrlock recommends no packages. xtrlock suggests no packages. -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: xtrlock Source-Version: 2.12 We believe that the bug you reported is fixed in the latest version of xtrlock, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 830...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated xtrlock package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 11 Oct 2019 12:41:39 -0700 Source: xtrlock Architecture: source Version: 2.12 Distribution: unstable Urgency: medium Maintainer: Matthew Vernon <matt...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 830726 Changes: xtrlock (2.12) unstable; urgency=medium . * CVE-2016-10894: Attempt to grab multitouch devices which are not intercepted via XGrabPointer. (Closes: #830726) * Bump Standards-Version to 4.4.1. Checksums-Sha1: 9a78849e65046057a84e060b9f2c03a571de6fb8 1602 xtrlock_2.12.dsc 90fde89622bd85ad2454de1308b10499b66f00e3 20620 xtrlock_2.12.tar.xz 4e69677968fc27410bed3b0b54a0945c65a9948f 6187 xtrlock_2.12_amd64.buildinfo Checksums-Sha256: 21c9bb1a25121afc7adbd1e96694a8390544e09437d296e83a96b6245f88aa7f 1602 xtrlock_2.12.dsc 13b634dc6c23a35386e683163d2b8be76de2229e1cd7fb82517cb8e388e278ba 20620 xtrlock_2.12.tar.xz f645e51a15122f1767f25d2580bab930aa248740be79d9a941caf674c9f3207a 6187 xtrlock_2.12_amd64.buildinfo Files: 5966c685ad31b3b00fa85d674c490eb7 1602 x11 optional xtrlock_2.12.dsc 49adf9b39eed6ea717462f5171da5a30 20620 x11 optional xtrlock_2.12.tar.xz 79be2ba64b7d7d76096b3028a2aacc88 6187 x11 optional xtrlock_2.12_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2g2y8ACgkQHpU+J9Qx HlglMw/8DZoBlobJZYBH/wdojjimjSblfiVpQr9WuvYQ53gEIHp7tRNYWgUfkLoP p6s5TWDfyxhio15l7fqLp2J/8WG5WlW86SYqraarpDNHbftl/D1OTtTE+LpPW09a rQKIIqS/sOJ7y5ta47hFtP8n4IahASz+g4xmvUkEz1564FQD5Qy6w1zH5ChV8CKv 8FUyPISa3igAenplGPnygNY/T1ZBsQsh2v5bdIwyiuC2JRN8cxU8eXiZ91xPCrdn FWGQrebAYoESKFJD4Zw/gOg2XSodNNADbJeZ01bvEBlIuRdbgxVbH48RtDLHf6Uq MCxx/Il8i82Pqd4HEeCEG1B+Spcug/jO5aVdoCe+u1y+h2eo31cdSRiiaN7LUmlo vXdcieGG6M/+l7Ch2fzo+WmjvqhIG4bFBwWBz686Q8+aIDk2q7WpqBWBNJB9lAm5 kwtb7n6J3VeGyeR9a0s2GkkIcglTswaRqDjKoXf28BmN4q/DrHorHMvK/OWd7a7c MJib06k0/Jw8srGiVx5jwicMG6qF7NvrHYy/9M3jGHFh1tDd6t+X8VPDFvwklB6f sCW0woakdEX2ChAu3Kvx5GbYyD8zE8NjNjyz6WfzgP/FMwrO+7dE4Bdu+TNIlbDC AnpMkYIDtMErW5iXKpA3FEJKx6o5WXPv8BDe6d2UKU855SlIMqI= =0ysM -----END PGP SIGNATURE-----
--- End Message ---
