Bug#474785: marked as done (xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 21 Apr 2008 23:37:32 +0200
with message-id <480D091C.8000903@ens-lyon.org>
and subject line Re: Bug#474785: xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?
has caused the Debian Bug report #474785,
regarding xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
474785: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474785
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: bugs@debian.org
• Subject: xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?
• From: Timo Lindfors <timo.lindfors@iki.fi>
• Date: Mon, 07 Apr 2008 22:41:25 +0300
• Message-id: <[🔎] 847if9jvve.fsf@sauna.l.org>

Package: xserver-xorg
Version: 1:7.1.0-19
Severity: normal
Tags: security

Steps to reproduce:
1) start two xterm windows
2) (xterm1) ssh -X example.com
3) (xterm1) download and build http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy-1.0c.tar.gz
4) (xterm1) ./xspy -display $DISPLAY
5) (xterm2) type something

Expected results:
5) the untrusted xspy client can not see what user types

Actual results:
5) the untrusted xspy client can see what the user types

More info:
1) The "Security Extension Specification" in xorg-docs package states
that untrusted clients should not be able to get information using
XQueryKeymap:

  "The bit vector representing the up/down state of the keys
   returned by QueryKeymap and KeymapNotify is all zeroes."

2) xorg clearly has code to do this zeroing in dix/devices.c function
ProcQueryKeymap()

> if (XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
>     for (i = 0; i<32; i++)
>         rep.map[i] = down[i];
> else
>     bzero((char *)&rep.map[0], 32);

but I can not figure out why it is not effective.

3) I have personally managed to reproduce this behavior also with
vnc4server 4.1.1+X4.3.0-21 on debian etch and have heard that it also
occurs on lenny with xserver-xorg 7.2-5

4) I have not been able to reproduce this problem an a university computer with

X Window System Version 6.9.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 6.9
Build Operating System: FreeBSD 6.2 i386 [ELF]
Current Operating System: FreeBSD XXXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #18: Mon Dec 18 15:46:16 EET 2006     roo
t@XXXX:/usr/obj/usr/src/sys/XXXX-SMP i386
Build Date: 22 January 2007
        Before reporting problems, check http://wiki.X.Org
        to make sure that you have the latest version.
Module Loader present

--- End Message ---

--- Begin Message ---

• To: 474785-done@bugs.debian.org
• Subject: Re: Bug#474785: xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?
• From: Brice Goglin <Brice.Goglin@ens-lyon.org>
• Date: Mon, 21 Apr 2008 23:37:32 +0200
• Message-id: <480D091C.8000903@ens-lyon.org>
• In-reply-to: <[🔎] 847if9jvve.fsf@sauna.l.org>
• References: <[🔎] 847if9jvve.fsf@sauna.l.org>

If I read the earlier reply correctly, there is no bug here.

Brice

--- End Message ---