Hi Chris, Thanks for fixing this and pushing it! Is the final fix also supposed to address the case of an attacker plugging in a new USB multitouch device? or is it just the latest patch I had tested (with the weird quirks when a new device appears)?
If the latter -- should this be pointed out as a known limitation or vulnerability of the package? Best, -- Antoine Amarilli On Fri, Oct 11, 2019 at 07:57:03PM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the xtrlock package: > > #830726: xtrlock: CVE-2016-10894: xtrlock does not block multitouch events > > It has been closed by Chris Lamb <la...@debian.org>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Chris Lamb > <la...@debian.org> by > replying to this email. > > > -- > 830726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830726 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > Date: Fri, 11 Oct 2019 19:52:58 +0000 > From: Chris Lamb <la...@debian.org> > To: 830726-cl...@bugs.debian.org > Subject: Bug#830726: fixed in xtrlock 2.12 > Message-Id: <e1ij0ya-000fxj...@fasolo.debian.org> > > Source: xtrlock > Source-Version: 2.12 > > We believe that the bug you reported is fixed in the latest version of > xtrlock, which is due to be installed in the Debian FTP archive. > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to 830...@bugs.debian.org, > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Chris Lamb <la...@debian.org> (supplier of updated xtrlock package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing ftpmas...@ftp-master.debian.org) > > > Format: 1.8 > Date: Fri, 11 Oct 2019 12:41:39 -0700 > Source: xtrlock > Architecture: source > Version: 2.12 > Distribution: unstable > Urgency: medium > Maintainer: Matthew Vernon <matt...@debian.org> > Changed-By: Chris Lamb <la...@debian.org> > Closes: 830726 > Changes: > xtrlock (2.12) unstable; urgency=medium > . > * CVE-2016-10894: Attempt to grab multitouch devices which are not > intercepted via XGrabPointer. (Closes: #830726) > * Bump Standards-Version to 4.4.1. > Checksums-Sha1: > 9a78849e65046057a84e060b9f2c03a571de6fb8 1602 xtrlock_2.12.dsc > 90fde89622bd85ad2454de1308b10499b66f00e3 20620 xtrlock_2.12.tar.xz > 4e69677968fc27410bed3b0b54a0945c65a9948f 6187 xtrlock_2.12_amd64.buildinfo > Checksums-Sha256: > 21c9bb1a25121afc7adbd1e96694a8390544e09437d296e83a96b6245f88aa7f 1602 > xtrlock_2.12.dsc > 13b634dc6c23a35386e683163d2b8be76de2229e1cd7fb82517cb8e388e278ba 20620 > xtrlock_2.12.tar.xz > f645e51a15122f1767f25d2580bab930aa248740be79d9a941caf674c9f3207a 6187 > xtrlock_2.12_amd64.buildinfo > Files: > 5966c685ad31b3b00fa85d674c490eb7 1602 x11 optional xtrlock_2.12.dsc > 49adf9b39eed6ea717462f5171da5a30 20620 x11 optional xtrlock_2.12.tar.xz > 79be2ba64b7d7d76096b3028a2aacc88 6187 x11 optional > xtrlock_2.12_amd64.buildinfo > > Date: Sun, 10 Jul 2016 16:18:41 -0400 > From: Antoine Amarilli <a...@a3nm.net> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Subject: xtrlock does not block multitouch events > Message-ID: <146818192189.12824.5554238893763808868.report...@gamma.a3nm.net> > X-Mailer: reportbug 6.6.6 > > Package: xtrlock > Version: 2.8 > Severity: normal > Tags: upstream > > Dear Maintainer, > > xtrlock appears not to block multitouch events when the session is locked, so > that any user stumbling upon a locked session can still input multitouch > events. > > One could imagine that this could constitute a security vulnerability > (requiring > physical access to the machine). > > Steps to reproduce (on a computer with a suitably configured touchscreen): > > 1. Open chromium (my example of a program that processes multitouch events) > and > put it in fullscreen mode. > 2. Check that you can pinch and zoom (put two fingers of the screen and move > them closer or further apart to change the zoom level). > 3. Run xtrlock to lock the session. > 4. With xtrlock running, put one finger on the screen and leave it there (the > mouse pointer with the xtrlock lock icon follows that finger). While doing > this, > perform the pinch and zoom with two other fingers. > > Observed result: > > The pinch and zoom is taken into account by chromium even though the session > is > locked. > > Expected result: > > The event should not be seen by chromium while the session is locked. > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages xtrlock depends on: > ii libc6 2.22-13 > ii libx11-6 2:1.6.3-1 > > xtrlock recommends no packages. > > xtrlock suggests no packages. > > -- debconf-show failed
signature.asc
Description: PGP signature
