Bug#474785: xserver-xorg: XQueryKeymap works for untrusted clients -- breaks Security Extension Specification?
Package: xserver-xorg
Version: 1:7.1.0-19
Severity: normal
Tags: security
Steps to reproduce:
1) start two xterm windows
2) (xterm1) ssh -X example.com
3) (xterm1) download and build http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy-1.0c.tar.gz
4) (xterm1) ./xspy -display $DISPLAY
5) (xterm2) type something
Expected results:
5) the untrusted xspy client can not see what user types
Actual results:
5) the untrusted xspy client can see what the user types
More info:
1) The "Security Extension Specification" in xorg-docs package states
that untrusted clients should not be able to get information using
XQueryKeymap:
"The bit vector representing the up/down state of the keys
returned by QueryKeymap and KeymapNotify is all zeroes."
2) xorg clearly has code to do this zeroing in dix/devices.c function
ProcQueryKeymap()
> if (XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
> for (i = 0; i<32; i++)
> rep.map[i] = down[i];
> else
> bzero((char *)&rep.map[0], 32);
but I can not figure out why it is not effective.
3) I have personally managed to reproduce this behavior also with
vnc4server 4.1.1+X4.3.0-21 on debian etch and have heard that it also
occurs on lenny with xserver-xorg 7.2-5
4) I have not been able to reproduce this problem an a university computer with
X Window System Version 6.9.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 6.9
Build Operating System: FreeBSD 6.2 i386 [ELF]
Current Operating System: FreeBSD XXXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #18: Mon Dec 18 15:46:16 EET 2006 roo
t@XXXX:/usr/obj/usr/src/sys/XXXX-SMP i386
Build Date: 22 January 2007
Before reporting problems, check http://wiki.X.Org
to make sure that you have the latest version.
Module Loader present
Reply to: