[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1959-1] xtrlock security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : xtrlock
Version        : 2.6+deb8u1
CVE ID         : CVE-2016-10894
Debian Bug     : #830726

It was discovered that multitouch devices were not being disabled
by the "xtrlock" screen locking utility.

xtrlock did not block multitouch events so an attacker could still
input and thus control various programs such as Chromium, etc. via
so-called "multitouch" events including pan scrolling, "pinch and
zoom" or even being able to provide regular mouse clicks by
depressing the touchpad once and then clicking with a secondary
finger.

For Debian 8 "Jessie", this issue has been fixed in xtrlock version
2.6+deb8u1. However, this fix does not the situation where an
attacker plugs in a multitouch device *after* the screen has been
locked. For more information on this, please see:

  https://bugs.debian.org/830726#115

We recommend that you upgrade your xtrlock packages pending a
deeper fix.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2k3yEACgkQHpU+J9Qx
HliNfw/+NmKYeWOX7PF5eKhv30fEsIBT4ON6oThRlP5TFZ+72m/diRsmyoCP/KX2
SeWVUYaKPvsRf3vFcM1z/RKhu4tnhAxeFqDULOmNc9k/NfbiN3c7y6u6zUPw5J5T
x6fZ7Lz6jsXv0+iLu8OKGgwmCqB6HhlMcmNcuGRZFAVdpnEYKJ7VOrA4e9tcrOiD
Z9bVrcgyR2NRPCtqf2GQMifoaKl34XjTpmQ5bEJ1vX0SELVkV84suirUBvKo5W4i
zchFO4Bq0eKuvmHnzlTRlDFqezEVBC96r/ce7zc2dmFy5VRylp9+9bipLZ+eP1Ev
x+iA4ToB6CT0+gUhu+ODC+07YmKM2s8c0xRJD0x37xuhJtFH1pZd26kW3eItYnnt
0Djx8mIY+3gVxpbMXtP+8da1NRqH1hKKTdOWDAN32PQUT83cxIiYtK7IpuuxKDI7
hGkVi2MY1WaYVImTZrC5gvBN8AQjYP1L3PC17zMbTXa0IIAo157YSpViWRRNEjtm
dwx3y11r8noArPxcZclglBEu22QCy+GT0U1+fz8yR0JaZBXT9CxixKuJ2cxNy34A
J4EUZvWrn3S0A+bcIpSHiOf+O/L5AgfGfqNKLHgnTppD6SmVlTqF4Kz1ajeKBBbK
kvcNkcxVLxoSewnmLv71eqJL9/VltjMhTSXwP5okO2YZob7z934=
=e4OJ
-----END PGP SIGNATURE-----


Reply to: