Your message dated Sun, 22 Mar 2020 20:42:49 +0000 with message-id <e1jg7qn-000gg4...@fasolo.debian.org> and subject line Bug#830726: fixed in xtrlock 2.8+deb9u1 has caused the Debian Bug report #830726, regarding xtrlock: CVE-2016-10894: xtrlock does not block multitouch events to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 830726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830726 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: xtrlock Version: 2.8 Severity: normal Tags: upstream Dear Maintainer, xtrlock appears not to block multitouch events when the session is locked, so that any user stumbling upon a locked session can still input multitouch events. One could imagine that this could constitute a security vulnerability (requiring physical access to the machine). Steps to reproduce (on a computer with a suitably configured touchscreen): 1. Open chromium (my example of a program that processes multitouch events) and put it in fullscreen mode. 2. Check that you can pinch and zoom (put two fingers of the screen and move them closer or further apart to change the zoom level). 3. Run xtrlock to lock the session. 4. With xtrlock running, put one finger on the screen and leave it there (the mouse pointer with the xtrlock lock icon follows that finger). While doing this, perform the pinch and zoom with two other fingers. Observed result: The pinch and zoom is taken into account by chromium even though the session is locked. Expected result: The event should not be seen by chromium while the session is locked. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xtrlock depends on: ii libc6 2.22-13 ii libx11-6 2:1.6.3-1 xtrlock recommends no packages. xtrlock suggests no packages. -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: xtrlock Source-Version: 2.8+deb9u1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of xtrlock, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 830...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated xtrlock package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 16 Jan 2020 16:00:52 +0000 Source: xtrlock Binary: xtrlock Architecture: source Version: 2.8+deb9u1 Distribution: stretch Urgency: high Maintainer: Matthew Vernon <matt...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: xtrlock - Minimal X display lock program Closes: 830726 Changes: xtrlock (2.8+deb9u1) stretch; urgency=high . * CVE-2016-10894: Attempt to grab multitouch devices which are not intercepted via XGrabPointer. . xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events such as pan scrolling, "pinch and zoom", or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger. . This fix does not the situation where Eve plugs in a multitouch device *after* the screen has been locked. For more information on this angle, please see <https://bugs.debian.org/830726#115>. (Closes: #830726) Checksums-Sha1: 3868359c01d305263ab4a2d75a3b782a18947bcc 1457 xtrlock_2.8+deb9u1.dsc e3a12ff00c5e7b01ab5d093eafa1e26defb24f0b 21823 xtrlock_2.8+deb9u1.tar.gz 28f7890c85279f310c5256e3174e4760aba36072 5503 xtrlock_2.8+deb9u1_amd64.buildinfo Checksums-Sha256: 0c165522c0f09e3ca44ccd26e1bc24ae6496aee76c4ae1216805b8127a4e3387 1457 xtrlock_2.8+deb9u1.dsc 33c26b5c1e345c6840e54f636316fa43de230872dce235f48cc81e1ceaae5bbe 21823 xtrlock_2.8+deb9u1.tar.gz d874d380feb66b97c89e42553a149a2d17e6e58643f05094af8d2b4b19e9ec56 5503 xtrlock_2.8+deb9u1_amd64.buildinfo Files: d4f93d24d9d9194396c39cfa3b499d67 1457 x11 optional xtrlock_2.8+deb9u1.dsc 8949706713aef3b3e1c23ed194ff2510 21823 x11 optional xtrlock_2.8+deb9u1.tar.gz 0bd7a99543e9251a7a824d24305b032b 5503 x11 optional xtrlock_2.8+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5hU9cACgkQHpU+J9Qx HlhopA//UQXxNs6P7ZBECuA/RB9Y+zv+onobiNl1a65gMFA1YR9BNp8EbuXnIXGe DtaPV3GcFi0qKotx2KJUOYvixiQAMpB7qTwXyOZAcPbd9QyLzHH1OkXRQZPWOckw caKeew69XbxbUyc9nJN49LFgtmp2sVL7v3IZV2xe6az4O5f5nJDGtKnWEo3K2Xzx Jpgbi5/K+xwIutOJjgUDgKM0PMbBUbgqLvW4m1JVuwaQeeXhrFzqYfp3iOAPv7iM stIZiPSBpZyImmEgPnRUMAQFRHUZFTA93zivnevve3DaQcZ6Twz+XyaVWBF2tGiL yeJNnRuLWJaMKit75WveCOUxZcmkKr0m8WaUBg/ysSm7VZ54/pbH2A2Kp9/TO+KX pd0Ud+KprgJ1R3BDYL6B1OMf9LC/1Jwj5E9CGZSclC0lhO8xl6niR+Mh4q9yJAaF 1oEveB5FJdd5fuQ3M6eCE8XXopjl6zgaDgzERHeDIgcUy63sznb2Ew4BY56hHF3q eVzubh9U88qgav6NQl8A8zMX5GNP55TZqlQ8WoQTyb6vq+T/VvPy1QBDdPyhZGSX u+mCc4DDwcyL0jbynvnHNwpeN+JUGXaNXJvCzA9IlISV+aZCdoXs7esWyo7lbQzq ilpiEtj+T4lJYxPDx9EjpgJ9xYI09NgVcnnJkINm8nJgYabQ5qU= =kBvR -----END PGP SIGNATURE-----
--- End Message ---
