[gentoo-announce] [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration Database: Screen lock bypass - gentoo-announce

From:	Alex Legler <a3li@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration Database: Screen lock bypass
Date:	Fri, 27 Jan 2012 22:05:48
Message-Id:	`201201272259.49507.a3li@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201201-16

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: X.Org X Server/X Keyboard Configuration Database: Screen lock

9

           bypass

10

     Date: January 27, 2012

11

     Bugs: #399347

12

       ID: 201201-16

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

A debugging functionality in the X.Org X Server that is bound to a

20

hotkey by default can be used by local attackers to circumvent screen

21

locking utilities.

22

23

Background

24

==========

25

26

The X Keyboard Configuration Database provides keyboard configuration

27

for various X server implementations.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package              /     Vulnerable     /            Unaffected

34

    -------------------------------------------------------------------

35

  1  x11-misc/xkeyboard-config

36

                                 < 2.4.1-r3               >= 2.4.1-r3 

37

    -------------------------------------------------------------------

38

     # Package 1 only applies to users of these architectures:

39

       amd64, arm, hppa, x86

40

41

Description

42

===========

43

44

Starting with the =x11-base/xorg-server-1.11 package, the X.Org X

45

Server again provides debugging functionality that can be used

46

terminate an application that exclusively grabs mouse and keyboard

47

input, like screen locking utilities.

48

49

Gu1 reported that the X Keyboard Configuration Database maps this

50

functionality by default to the Ctrl+Alt+Numpad * key combination.

51

52

Impact

53

======

54

55

A physically proximate attacker could exploit this vulnerability to

56

gain access to a locked X session without providing the correct

57

credentials.

58

59

Workaround

60

==========

61

62

Downgrade to any version of x11-base/xorg-server below

63

x11-base/xorg-server-1.11:

64

65

  # emerge --oneshot --verbose "<x11-base/xorg-server-1.11"

66

67

Resolution

68

==========

69

70

All xkeyboard-config users should upgrade to the latest version:

71

72

  # emerge --sync

73

  # emerge --ask --oneshot -v ">=x11-misc/xkeyboard-config-2.4.1-r3"

74

75

NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,

76

and x86 architectures. Users of the stable branches of all other

77

architectures are not affected and will be directly provided with a

78

fixed X Keyboard Configuration Database version.

79

80

References

81

==========

82

83

[ 1 ] CVE-2012-0064

84

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0064

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

 http://security.gentoo.org/glsa/glsa-201201-16.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users' machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

https://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2012 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201201-16
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: X.Org X Server/X Keyboard Configuration Database: Screen lock
9	bypass
10	Date: January 27, 2012
11	Bugs: #399347
12	ID: 201201-16
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	A debugging functionality in the X.Org X Server that is bound to a
20	hotkey by default can be used by local attackers to circumvent screen
21	locking utilities.
22
23	Background
24	==========
25
26	The X Keyboard Configuration Database provides keyboard configuration
27	for various X server implementations.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 x11-misc/xkeyboard-config
36	< 2.4.1-r3 >= 2.4.1-r3
37	-------------------------------------------------------------------
38	# Package 1 only applies to users of these architectures:
39	amd64, arm, hppa, x86
40
41	Description
42	===========
43
44	Starting with the =x11-base/xorg-server-1.11 package, the X.Org X
45	Server again provides debugging functionality that can be used
46	terminate an application that exclusively grabs mouse and keyboard
47	input, like screen locking utilities.
48
49	Gu1 reported that the X Keyboard Configuration Database maps this
50	functionality by default to the Ctrl+Alt+Numpad * key combination.
51
52	Impact
53	======
54
55	A physically proximate attacker could exploit this vulnerability to
56	gain access to a locked X session without providing the correct
57	credentials.
58
59	Workaround
60	==========
61
62	Downgrade to any version of x11-base/xorg-server below
63	x11-base/xorg-server-1.11:
64
65	# emerge --oneshot --verbose "<x11-base/xorg-server-1.11"
66
67	Resolution
68	==========
69
70	All xkeyboard-config users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot -v ">=x11-misc/xkeyboard-config-2.4.1-r3"
74
75	NOTE: The X.Org X Server 1.11 was only stable on the AMD64, ARM, HPPA,
76	and x86 architectures. Users of the stable branches of all other
77	architectures are not affected and will be directly provided with a
78	fixed X Keyboard Configuration Database version.
79
80	References
81	==========
82
83	[ 1 ] CVE-2012-0064
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0064
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-201201-16.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users' machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	https://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2012 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5