--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package xtrlock/2.8+deb10u1
- From: "Chris Lamb" <lamby@debian.org>
- Date: Thu, 16 Jan 2020 23:57:11 -0000
- Message-id: <87a995aa-c2a0-4698-bc2e-8c9b017fb495@sloti26t01>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: team@security.debian.org
Dear stable release managers,
Please consider xtrlock (2.8+deb10u1) for buster:
xtrlock (2.8+deb10u1) buster; urgency=high
* CVE-2016-10894: Attempt to grab multitouch devices which are not
intercepted via XGrabPointer.
xtrlock did not block multitouch events so an attacker could still input
and thus control various programs such as Chromium, etc. via so-called
"multitouch" events such as pan scrolling, "pinch and zoom", or even being
able to provide regular mouse clicks by depressing the touchpad once and
then clicking with a secondary finger.
This fix does not the situation where Eve plugs in a multitouch device
*after* the screen has been locked. For more information on this angle,
please see <https://bugs.debian.org/830726#115>. (Closes: #830726)
The full diff is attached. In addition, this update has been filed at
the behest of the security team after marking this CVE as no-dsa.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index 91ebaab..ad44f3b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+xtrlock (2.8+deb10u1) buster; urgency=high
+
+ * CVE-2016-10894: Attempt to grab multitouch devices which are not
+ intercepted via XGrabPointer.
+
+ xtrlock did not block multitouch events so an attacker could still input
+ and thus control various programs such as Chromium, etc. via so-called
+ "multitouch" events such as pan scrolling, "pinch and zoom", or even being
+ able to provide regular mouse clicks by depressing the touchpad once and
+ then clicking with a secondary finger.
+
+ This fix does not the situation where Eve plugs in a multitouch device
+ *after* the screen has been locked. For more information on this angle,
+ please see <https://bugs.debian.org/830726#115>. (Closes: #830726)
+
+ -- Chris Lamb <lamby@debian.org> Thu, 16 Jan 2020 16:00:52 +0000
+
xtrlock (2.8) unstable; urgency=low
* patch from Simon Tatham to add a -f option [fork, and return success
diff --git a/Imakefile b/Imakefile
index 68605d8..c792294 100644
--- a/Imakefile
+++ b/Imakefile
@@ -12,6 +12,6 @@
#! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#! GNU General Public License for more details.
-SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11,)
+SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11 -lXi,)
InstallProgram(xtrlock,$(BINDIR))
InstallManPage(xtrlock,$(MANDIR))
diff --git a/debian/control b/debian/control
index c01554d..359d7a0 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: xtrlock
Maintainer: Matthew Vernon <matthew@debian.org>
Section: x11
Priority: optional
-Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 1.16.1~)
+Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 1.16.1~), libxi-dev
Standards-Version: 3.9.1
Package: xtrlock
diff --git a/debian/rules b/debian/rules
index 91b1572..55e8b4e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ DPKG_EXPORT_BUILDFLAGS = 1
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
include /usr/share/dpkg/buildflags.mk
-CFLAGS+=-DSHADOW_PWD
+CFLAGS+=-DSHADOW_PWD -DMULTITOUCH
build:
$(checkdir)
diff --git a/xtrlock.c b/xtrlock.c
index 6117c6f..a08fe4e 100644
--- a/xtrlock.c
+++ b/xtrlock.c
@@ -41,6 +41,11 @@
#include <shadow.h>
#endif
+#ifdef MULTITOUCH
+#include <X11/extensions/XInput.h>
+#include <X11/extensions/XInput2.h>
+#endif
+
#include "lock.bitmap"
#include "mask.bitmap"
#include "patchlevel.h"
@@ -71,6 +76,34 @@ int passwordok(const char *s) {
#endif
}
+#if MULTITOUCH
+XIEventMask evmask;
+
+/* (Optimistically) attempt to grab multitouch devices which are not
+ * intercepted via XGrabPointer. */
+void handle_multitouch(Cursor cursor) {
+ XIDeviceInfo *info;
+ int xi_ndevices;
+
+ info = XIQueryDevice(display, XIAllDevices, &xi_ndevices);
+
+ int i;
+ for (i = 0; i < xi_ndevices; i++) {
+ XIDeviceInfo *dev = &info[i];
+
+ int j;
+ for (j = 0; j < dev->num_classes; j++) {
+ if (dev->classes[j]->type == XITouchClass &&
+ dev->use == XISlavePointer) {
+ XIGrabDevice(display, dev->deviceid, window, CurrentTime, cursor,
+ GrabModeAsync, GrabModeAsync, False, &evmask);
+ }
+ }
+ }
+ XIFreeDeviceInfo(info);
+}
+#endif
+
int main(int argc, char **argv){
XEvent ev;
KeySym ks;
@@ -132,7 +165,32 @@ int main(int argc, char **argv){
program_version);
exit(1);
}
+
+#ifdef MULTITOUCH
+ unsigned char mask[XIMaskLen(XI_LASTEVENT)];
+ int xi_major = 2, xi_minor = 2, xi_opcode, xi_error, xi_event;
+
+ if (!XQueryExtension(display, INAME, &xi_opcode, &xi_event, &xi_error)) {
+ fprintf(stderr, "xtrlock (version %s): No X Input extension\n",
+ program_version);
+ exit(1);
+ }
+ if (XIQueryVersion(display, &xi_major, &xi_minor) != Success ||
+ xi_major * 10 + xi_minor < 22) {
+ fprintf(stderr,"xtrlock (version %s): Need XI 2.2\n",
+ program_version);
+ exit(1);
+ }
+
+ evmask.mask = mask;
+ evmask.mask_len = sizeof(mask);
+ memset(mask, 0, sizeof(mask));
+ evmask.deviceid = XIAllDevices;
+ XISetMask(mask, XI_HierarchyChanged);
+ XISelectEvents(display, DefaultRootWindow(display), &evmask, 1);
+#endif
+
attrib.override_redirect= True;
if (blank) {
@@ -227,6 +285,10 @@ int main(int argc, char **argv){
}
}
+#ifdef MULTITOUCH
+ handle_multitouch(cursor);
+#endif
+
for (;;) {
XNextEvent(display,&ev);
switch (ev.type) {
@@ -265,6 +327,15 @@ int main(int argc, char **argv){
break;
}
break;
+#if MULTITOUCH
+ case GenericEvent:
+ if (ev.xcookie.extension == xi_opcode &&
+ XGetEventData(display,&ev.xcookie) &&
+ ev.xcookie.evtype == XI_HierarchyChanged) {
+ handle_multitouch(cursor);
+ }
+ break;
+#endif
default:
break;
}
--- End Message ---