Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/glsa-201201-16.xml
blob: a3d08976f1e3bb21b590f1a44f23fdd4b9b504f5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201201-16">
  <title>X.Org X Server/X Keyboard Configuration Database: Screen lock bypass</title>
  <synopsis>A debugging functionality in the X.Org X Server that is bound to a
    hotkey by default can be used by local attackers to circumvent screen
    locking utilities.
  </synopsis>
  <product type="ebuild">xkeyboard-config xorg-server</product>
  <announced>2012-01-27</announced>
  <revised count="1">2012-01-27</revised>
  <bug>399347</bug>
  <access>local</access>
  <affected>
    <package name="x11-misc/xkeyboard-config" auto="yes" arch="amd64 arm hppa x86">
      <unaffected range="ge">2.4.1-r3</unaffected>
      <vulnerable range="lt">2.4.1-r3</vulnerable>
    </package>
  </affected>
  <background>
    <p>The X Keyboard Configuration Database provides keyboard configuration
      for various X server implementations.
    </p>
  </background>
  <description>
    <p>Starting with the =x11-base/xorg-server-1.11 package, the X.Org X Server
      again provides debugging functionality that can be used terminate an
      application that exclusively grabs mouse and keyboard input, like screen
      locking utilities.
    </p>
    
    <p>Gu1 reported that the X Keyboard Configuration Database maps this
      functionality by default to the Ctrl+Alt+Numpad * key combination.
    </p>
  </description>
  <impact type="normal">
    <p>A physically proximate attacker could exploit this vulnerability to gain
      access to a locked X session without providing the correct credentials.
    </p>
  </impact>
  <workaround>
    <p>Downgrade to any version of x11-base/xorg-server below
      x11-base/xorg-server-1.11:
    </p>
    
    <code>
      # emerge --oneshot --verbose "&lt;x11-base/xorg-server-1.11"
    </code>
  </workaround>
  <resolution>
    <p>All xkeyboard-config users should upgrade to the latest version:</p>
    
    <code>
      # emerge --sync
      # emerge --ask --oneshot --verbose
      "&gt;=x11-misc/xkeyboard-config-2.4.1-r3"
    </code>
    
    <p>NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
      and x86 architectures. Users of the stable branches of all other
      architectures are not affected and will be directly provided with a fixed
      X Keyboard Configuration Database version.
    </p>
  </resolution>
  <references>
    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0064">CVE-2012-0064</uri>
  </references>
  <metadata timestamp="2012-01-19T17:45:40Z" tag="requester">a3li</metadata>
  <metadata timestamp="2012-01-27T20:35:28Z" tag="submitter">a3li</metadata>
</glsa>