It was found that XKB actions for debugging X.org clients were enabled by default. This could cause a screen locking application such as gnome-screensaver to be killed when those key combinations were triggered. The debugging key actions were introduced in the following commit: http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1 Reference: http://thread.gmane.org/gmane.comp.security.oss.general/6725 Mitigation: http://thread.gmane.org/gmane.comp.security.oss.general/6725/focus=6731
This issue affects the version of xkeyboard-config as shipped with Fedora 16. This issue does not affect the version of xkeyboard-config as shipped with Fedora 15, since the version of Xorg-x11-server does not have the relevant code to trigger the flaw.
Created xkeyboard-config tracking bugs for this issue Affects: fedora-16 [bug 783044]
Xorg supports use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server. This is disabled by default and can be enabled by adding the following line to xorg.conf: Option "AllowClosedownGrabs" "on" However the disabled grab support was removed in the server 1.4 development cycle. since then, the xorg.conf option had no effect (though the man page entry was removed later in the 1.6 cycle). it was re-introduced in the 1.11 development cycle, so the first version affected is 1.11.1 (Fedora-16) In Red Hat Enterprise Linux 4 and 5 the above mentioned xorg.conf configuration directive is disabled by default, which prevents occurrence of this flaw and allows to enable this behaviour only in cases, where it is desired. The version of Xorg shipped with Red Hat Enterprise Linux 6 is not affected, because the relevant code is missing. This issue was fixed in Fedora by removing the relevant portion of the keyboard mapping from the xfree86 config file.
This issue did NOT affect the version of xorg-x11 and xkeyboard-config in Red Hat Enterprise Linux 4 and 5 respectively. This issue did NOT affect the version of xkeyboard-config in Red Hat Enterprise Linux 6.
Statement: Not vulnerable. This issue did not affect versions of xorg-x11 as shipped with Red Hat Enterprise Linux 4. This issue did not affect versions of xkeyboard-config as shipped with Red Hat Enterprise Linux 5 and 6.
xkeyboard-config-2.3-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 783261 has been marked as a duplicate of this bug. ***
*** Bug 783382 has been marked as a duplicate of this bug. ***
Was this supposed to fix this issue: $ rpm -q xkeyboard-config xkeyboard-config-2.3-3.fc16.noarch $ qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock Pressing Control+Alt+KeypadMultiply unlocks the screen.
(In reply to comment #13) > Was this supposed to fix this issue: > > $ rpm -q xkeyboard-config > xkeyboard-config-2.3-3.fc16.noarch > $ qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock > > Pressing Control+Alt+KeypadMultiply unlocks the screen. Did you re-start X after installing the updates?
(In reply to comment #14) > (In reply to comment #13) > > Was this supposed to fix this issue: > > > > $ rpm -q xkeyboard-config > > xkeyboard-config-2.3-3.fc16.noarch > > $ qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock > > > > Pressing Control+Alt+KeypadMultiply unlocks the screen. > > Did you re-start X after installing the updates? Yes, X was restarted. Whole machine rebooted in fact. I forgot to mention I'm using KDE.
Vegard, I need the output of "xkbcomp -xkb :0 -", your xorg.conf (if any) and whatever KDE settings you have configured for your keyboard.
(In reply to comment #16) > Vegard, I need the output of "xkbcomp -xkb :0 -", your xorg.conf (if any) and > whatever KDE settings you have configured for your keyboard. Aha! I was using and old xkb dump to switch "ยค" and "$" on my keyboard. My mistake. Terribly sorry for the noise.