Debian Security Advisory

DLA-1959-1 xtrlock -- LTS security update

Date Reported:
14 Oct 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-10894.
More information:

It was discovered that multitouch devices were not being disabled by the xtrlock screen locking utility.

xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events including pan scrolling, "pinch and zoom" or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger.

  • CVE-2016-10894

    xtrlock through 2.10 does not block multitouch events. Consequently, an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling, "pinch and zoom" gestures, or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

For Debian 8 Jessie, these problems have been fixed in version 2.6+deb8u1. However, this fix does not the situation where an attacker plugs in a multitouch device after the screen has been locked (more info).

We recommend that you upgrade your xtrlock packages pending a deeper fix.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: