Debian Bug report logs -
#830726
xtrlock: CVE-2016-10894: xtrlock does not block multitouch events
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, a3nm@a3nm.net, Matthew Vernon <matthew@debian.org>
:
Bug#830726
; Package xtrlock
.
(Sun, 10 Jul 2016 20:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Amarilli <a3nm@a3nm.net>
:
New Bug report received and forwarded. Copy sent to a3nm@a3nm.net, Matthew Vernon <matthew@debian.org>
.
(Sun, 10 Jul 2016 20:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xtrlock
Version: 2.8
Severity: normal
Tags: upstream
Dear Maintainer,
xtrlock appears not to block multitouch events when the session is locked, so
that any user stumbling upon a locked session can still input multitouch events.
One could imagine that this could constitute a security vulnerability (requiring
physical access to the machine).
Steps to reproduce (on a computer with a suitably configured touchscreen):
1. Open chromium (my example of a program that processes multitouch events) and
put it in fullscreen mode.
2. Check that you can pinch and zoom (put two fingers of the screen and move
them closer or further apart to change the zoom level).
3. Run xtrlock to lock the session.
4. With xtrlock running, put one finger on the screen and leave it there (the
mouse pointer with the xtrlock lock icon follows that finger). While doing this,
perform the pinch and zoom with two other fingers.
Observed result:
The pinch and zoom is taken into account by chromium even though the session is
locked.
Expected result:
The event should not be seen by chromium while the session is locked.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xtrlock depends on:
ii libc6 2.22-13
ii libx11-6 2:1.6.3-1
xtrlock recommends no packages.
xtrlock suggests no packages.
-- debconf-show failed
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#830726
; Package xtrlock
.
(Sun, 21 Jul 2019 18:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(Sun, 21 Jul 2019 18:39:09 GMT) (full text, mbox, link).
Message #10 received at 830726@bugs.debian.org (full text, mbox, reply):
Hi,
> The pinch and zoom is taken into account by chromium even
> though the session is locked.
I cannot reproduce this. (Can you still?)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#830726
; Package xtrlock
.
(Fri, 09 Aug 2019 23:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Amarilli <a3nm@a3nm.net>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(Fri, 09 Aug 2019 23:51:03 GMT) (full text, mbox, link).
Message #15 received at 830726@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Chris,
I can still reproduce this. I just booted an USB key with a live Debian
stable image from
https://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/debian-live-10.0.0-amd64-standard.iso.torrent
on the affected hardware (Lenovo IdeaPad Yoga 13 with an ELAN
touchscreen). It booted to a TTY, so I apt-get installed xserver-xorg,
openbox, slim, chromium, xtrlock, started a graphical session, and I
could reproduce the problem: run chromium, run xtrlock, press one finger
on the screen (the mouse pointer with the padlock icon moves to that
finger), then interact with chromium with the other fingers.
The problem is not actually limited to multitouch events in Chromium
(i.e., not just pinch and zoom), as I can e.g. minimize chromium by
tapping the minimize icon with the second finger while the first finger
"holds" the xtrlock icon, and generally interact with the chromium
interface (though not all interface elements work, for some reason).
I can only see this problem with chromium; I cannot interact with other
windows (e.g., xterm, firefox) in this way. This may be linked to the
fact that the chromium window is not decorated, i.e., it does not have
the openbox decorations.
Are you sure you tried to reproduce it with multiple fingers as above?
Are you sure you are using a touchscreen with multitouch support?
Now that I notice this is not limited to multitouch events, this looks
to me like a genuine vulnerability affecting xtrlock when such hardware
is present (or can be plugged in): an attacker can, e.g., completely
mess around with the chromium settings while the session is "locked" by
xtrlock.
--
Antoine Amarilli
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#830726
; Package xtrlock
.
(Sun, 11 Aug 2019 13:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(Sun, 11 Aug 2019 13:03:03 GMT) (full text, mbox, link).
Message #20 received at 830726@bugs.debian.org (full text, mbox, reply):
severity 830726 + important
thanks
Hi Antoine,
> I can still reproduce this. I just booted an USB key with […]
Sorry, I did not automatically receive your reply. In addition,
perhaps I missed the bit about the multitouch *touchscreen* — I can
now reproduce this on my Dell XPS 13.
Elevating the severity for the time being whilst I investigate more.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Severity set to 'important' from 'normal'
Request was from "Chris Lamb" <lamby@debian.org>
to control@bugs.debian.org
.
(Sun, 11 Aug 2019 13:09:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>
:
Bug#830726
; Package xtrlock
.
(Fri, 16 Aug 2019 04:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>
.
(Fri, 16 Aug 2019 04:18:03 GMT) (full text, mbox, link).
Message #27 received at 830726@bugs.debian.org (full text, mbox, reply):
Control: tags 830726 + security
Control: retitle 830726 xtrlock: CVE-2016-10894: xtrlock does not block multitouch events
Hi,
This issue has been assigned CVE-2016-10894.
Regards,
Salvatore
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 830726-submit@bugs.debian.org
.
(Fri, 16 Aug 2019 04:18:03 GMT) (full text, mbox, link).
Changed Bug title to 'xtrlock: CVE-2016-10894: xtrlock does not block multitouch events' from 'xtrlock does not block multitouch events'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 830726-submit@bugs.debian.org
.
(Fri, 16 Aug 2019 04:18:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 16 09:35:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.