blob: 79d77ddce3f1916afd942df2265734b87506b5fd [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<glsa id="201201-16">
<title>X.Org X Server/X Keyboard Configuration Database: Screen lock bypass</title>
<synopsis>A debugging functionality in the X.Org X Server that is bound to a
hotkey by default can be used by local attackers to circumvent screen
locking utilities.
<product type="ebuild">xkeyboard-config xorg-server</product>
<announced>January 27, 2012</announced>
<revised>January 27, 2012: 1</revised>
<package name="x11-misc/xkeyboard-config" auto="yes" arch="amd64 arm hppa x86">
<unaffected range="ge">2.4.1-r3</unaffected>
<vulnerable range="lt">2.4.1-r3</vulnerable>
<p>The X Keyboard Configuration Database provides keyboard configuration
for various X server implementations.
<p>Starting with the =x11-base/xorg-server-1.11 package, the X.Org X Server
again provides debugging functionality that can be used terminate an
application that exclusively grabs mouse and keyboard input, like screen
locking utilities.
<p>Gu1 reported that the X Keyboard Configuration Database maps this
functionality by default to the Ctrl+Alt+Numpad * key combination.
<impact type="normal">
<p>A physically proximate attacker could exploit this vulnerability to gain
access to a locked X session without providing the correct credentials.
<p>Downgrade to any version of x11-base/xorg-server below
# emerge --oneshot --verbose "&lt;x11-base/xorg-server-1.11"
<p>All xkeyboard-config users should upgrade to the latest version:</p>
# emerge --sync
# emerge --ask --oneshot --verbose
<p>NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
and x86 architectures. Users of the stable branches of all other
architectures are not affected and will be directly provided with a fixed
X Keyboard Configuration Database version.
<uri link="">CVE-2012-0064</uri>
<metadata timestamp="Thu, 19 Jan 2012 17:45:40 +0000" tag="requester">a3li</metadata>
<metadata timestamp="Fri, 27 Jan 2012 20:35:28 +0000" tag="submitter">a3li</metadata>