GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Jan 27, 2012 10:26 pm Post subject: [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration D |
 |
|
Gentoo Linux Security Advisory
Title: X.Org X Server/X Keyboard Configuration Database: Screen lock bypass (GLSA 201201-16)
Severity: normal
Exploitable: local
Date: January 27, 2012
Bug(s): #399347
ID: 201201-16
Synopsis
A debugging functionality in the X.Org X Server that is bound to a
hotkey by default can be used by local attackers to circumvent screen
locking utilities.
Background
The X Keyboard Configuration Database provides keyboard configuration
for various X server implementations.
Affected Packages
Package: x11-misc/xkeyboard-config
Vulnerable: < 2.4.1-r3
Unaffected: >= 2.4.1-r3
Architectures: amd64 arm hppa x86
Description
Starting with the =x11-base/xorg-server-1.11 package, the X.Org X Server
again provides debugging functionality that can be used terminate an
application that exclusively grabs mouse and keyboard input, like screen
locking utilities.
Gu1 reported that the X Keyboard Configuration Database maps this
functionality by default to the Ctrl+Alt+Numpad * key combination.
Impact
A physically proximate attacker could exploit this vulnerability to gain
access to a locked X session without providing the correct credentials.
Workaround
Downgrade to any version of x11-base/xorg-server below
x11-base/xorg-server-1.11:
| Code: | # emerge --oneshot --verbose "<x11-base/xorg-server-1.11"
|
Resolution
All xkeyboard-config users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=x11-misc/xkeyboard-config-2.4.1-r3"
|
NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
and x86 architectures. Users of the stable branches of all other
architectures are not affected and will be directly provided with a fixed
X Keyboard Configuration Database version.
References
CVE-2012-0064 |
|
News & Announcements
