# Security hole: Screensaver unlock bug in Xorg

## ippipp

http://www.phoronix.com/scan.php?page=news_item&px=MTA0NTA

My "amd64" gentoo is affected by this bug.

(Exploited by ctrl+alt+numlockpad*)Last edited by ippipp on Thu Jan 19, 2012 11:48 am; edited 1 time in total

----------

## ippipp

Comment out those lines:

cat /usr/share/X11/xkb/symbols/keypad |grep -A4 ClsGrb

// ClsGrb kills whichever client has a grab in effect

//    key <KPMU> {

//        type="CTRL+ALT",

//        symbols[Group1]= [ KP_Multiply,       KP_Multiply, KP_Multiply, KP_Multiply, XF86_ClearGrab ]

//    };

--

// ClsGrb kills whichever client has a grab in effect

//    key <KOMU> {

//        type="CTRL+ALT",

//        symbols[Group1]= [ KP_Multiply, KP_Multiply, KP_Multiply, KP_Multiply, XF86_ClearGrab ]

//    };

----------

## ippipp

Ctrl+Alt+numlock/      <-------- same exploit

Fix: 

// Ungrab cancels server/keyboard/pointer grabs

//    key <KPDV> {

//        type="CTRL+ALT",

//        symbols[Group1]= [ KP_Divide, KP_Divide, KP_Divide, KP_Divide, XF86_Ungrab ]

//    };

// Ungrab cancels server/keyboard/pointer grabs

//    key <KODV> {

//        type="CTRL+ALT",

//        symbols[Group1]= [ KP_Divide, KP_Divide, KP_Divide, KP_Divide, XF86_Ungrab ]

//    };

----------

## phajdan.jr

This is https://bugs.gentoo.org/show_bug.cgi?id=399347

----------

## Ant P.

Wait, haven't these shortcuts been around for years now? I remember finding them back when enabling DontZap by default was first being talked about, along with Ctrl+Alt+[+-] to change resolution (which apparently doesn't work any more).

----------

## Hu

They have existed for a long time, but my recollection is that they were disabled-by-default back then.  I do not recall whether they were disabled by the distribution or shipped that way from upstream.  Somewhere along the way, they got dropped and then reimplemented in a way that ended up enabled by default.

----------

