Bug#656500: marked as done (xkb-data: XF86_Ungrab and XF86_ClearGrab security hole upstream)
Your message dated Fri, 20 Jan 2012 17:48:47 +0000
with message-id <E1RoIZz-0008Mv-Mj@franck.debian.org>
and subject line Bug#656500: fixed in xkeyboard-config 2.5-1
has caused the Debian Bug report #656500,
regarding xkb-data: XF86_Ungrab and XF86_ClearGrab security hole upstream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
656500: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656500
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: xkb-data
Version: 2.3-2
Severity: grave
Tags: security upstream
Justification: user security hole
As originally reported at:
---
http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up/
and further syndicated by:
---
http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA
the currently shipping version of this package contains a rather glaring
security hole with regards to locking screen savers under X.
Fix seems to be commenting any references to XF86_Ungrab and
XF86_ClearGrab, at least for the time being. I'm not sure what the long
term fix will be (reintroducing previously removed functionality
possibly).
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: xkeyboard-config
Source-Version: 2.5-1
We believe that the bug you reported is fixed in the latest version of
xkeyboard-config, which is due to be installed in the Debian FTP archive:
xkb-data-udeb_2.5-1_all.udeb
to main/x/xkeyboard-config/xkb-data-udeb_2.5-1_all.udeb
xkb-data_2.5-1_all.deb
to main/x/xkeyboard-config/xkb-data_2.5-1_all.deb
xkeyboard-config_2.5-1.diff.gz
to main/x/xkeyboard-config/xkeyboard-config_2.5-1.diff.gz
xkeyboard-config_2.5-1.dsc
to main/x/xkeyboard-config/xkeyboard-config_2.5-1.dsc
xkeyboard-config_2.5.orig.tar.gz
to main/x/xkeyboard-config/xkeyboard-config_2.5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 656500@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated xkeyboard-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 20 Jan 2012 18:21:03 +0100
Source: xkeyboard-config
Binary: xkb-data xkb-data-udeb
Architecture: source all
Version: 2.5-1
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
xkb-data - X Keyboard Extension (XKB) configuration data
xkb-data-udeb - X Keyboard Extension (XKB) configuration data (udeb)
Closes: 656500
Changes:
xkeyboard-config (2.5-1) unstable; urgency=low
.
* New upstream release, including:
- Hide ClearGrab/CloseGrabs actions behind an option.
* To get those actions back, use the grab:break_actions option. At
the moment, the corresponding actionve has been disabled on the
server side as a hot fix for CVE-2012-0064 (Closes: #656500).
* Since there's a workaround on the server side already, do not use
a high urgency, so that this new upstream release and its various
changes can be tested for a while in unstable.
* Update URL in watch file.
* Add xsltproc, xutils-dev build-deps.
* Keep /usr/share/man out of the udeb, due to a newly-added manpage.
Checksums-Sha1:
cae9d84aaca9de30322a809227748cbdee11e45e 1481 xkeyboard-config_2.5-1.dsc
344790f01d94151c1293c567bdefd2b93ec4e6b0 1292752 xkeyboard-config_2.5.orig.tar.gz
7bfc9658187f68d3161fcc4c917f8c3aa3970d32 138730 xkeyboard-config_2.5-1.diff.gz
e485b976b8792e3093d2997d4531adb23459c0e1 1219016 xkb-data_2.5-1_all.deb
393f46ee73b0f0e66f179b45de0b3fff84a4e700 259754 xkb-data-udeb_2.5-1_all.udeb
Checksums-Sha256:
701ccf8d495f1f7099873768f3c349eddee671ab2db312793fc968d360a171b8 1481 xkeyboard-config_2.5-1.dsc
70d8062b66ed44c362cbcc1b3bdcf07f711d10ea93e6a6d0413ad4b4867f20ab 1292752 xkeyboard-config_2.5.orig.tar.gz
86b61e77841ce40dfec0babd6d94b6a72cc4fad7861f6c691a030df013061299 138730 xkeyboard-config_2.5-1.diff.gz
927d0c32468436c80a46934b04efa312be6c1606f1b71e38f260ce94f2654cb7 1219016 xkb-data_2.5-1_all.deb
8c25ce138873fabe9051f084fe87d02ec01608ea0539f71e14eccabfd6d6af43 259754 xkb-data-udeb_2.5-1_all.udeb
Files:
9060678e22986503ae07fb27eb1cab04 1481 x11 extra xkeyboard-config_2.5-1.dsc
386675825b0d7e4f4770c5d3ab4492b2 1292752 x11 extra xkeyboard-config_2.5.orig.tar.gz
0771a957d3d4033481e9cf79a890cdbe 138730 x11 extra xkeyboard-config_2.5-1.diff.gz
d93c1762d9600134aef3165a2c7c5b89 1219016 x11 extra xkb-data_2.5-1_all.deb
811de85b772718e58b00250a91c803c7 259754 debian-installer extra xkb-data-udeb_2.5-1_all.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8ZpwMACgkQeGfVPHR5Nd1TwACgjnzEzmy2qav0eaO7T+Ukb99e
S5UAniUjtkTzEL5hmLdY3OUSmP0WNgRv
=C5AU
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: