[Secure-testing-team] Bug#656494: [xserver-xorg-core] All screen-lockers broken by a keypress (Ctrl+Alt+* (keypad))

[Mario Palomo]

Package: xserver-xorg-core
Version: 2:1.11.3.901-1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

It is possible to kill every screensaver/screen locker program
(gnome-screensaver, kscreenlocker, slock, slimlock...) on the latest
version of Xorg (1.11) using the Ctrl+Alt+Multiply key binding. It
didn't work for multiply from shift+plus (Spanish keyboard layout) but
the keypad's plus (involving Num lock) did bypass the password dialog.
I have tested it with kscreenlocker.

This behavior seems to have been introduced in a recent commit in Xorg upstream:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1

(source: http://seclists.org/oss-sec/2012/q1/191)


--- System information. ---
Architecture: i386
Kernel: Linux 3.1.0-1-686-pae

Debian Release: wheezy/sid
500 unstable www.debian-multimedia.org
500 unstable http.us.debian.org
500 stable security.debian.org

--- Package information. ---
Depends (Version) | Installed
==============================================-+-====================
xserver-common (>= 2:1.11.3.901-1) | 2:1.11.3.901-1
keyboard-configuration | 1.75
udev (>= 149) | 175-3
libaudit0 (>= 1.7.13) | 1.7.18-1
libc6 (>= 2.8) | 2.13-24
libdrm2 (>= 2.3.1) | 2.4.30-1
libgcrypt11 (>= 1.4.5) | 1.5.0-3
libpciaccess0 (>= 0.10.7) | 0.12.902-1
libpixman-1-0 (>= 0.21.6) | 0.24.0-1
libselinux1 (>= 2.0.82) | 2.1.0-4
libudev0 (>= 146) | 175-3
libxau6 | 1:1.0.6-4
libxdmcp6 | 1:1.1.0-4
libxfont1 (>= 1:1.4.2) | 1:1.4.4-1


Recommends (Version) | Installed
=================================-+-==============
libgl1-mesa-dri (>= 7.10.2-4) | 7.11.2-1


Suggests (Version) | Installed
==============================-+-===========
xfonts-100dpi | 1:1.0.3
OR xfonts-75dpi | 1:1.0.3
xfonts-scalable | 1:1.0.3-1