-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : xtrlock Version : 2.6+deb8u1 CVE ID : CVE-2016-10894 Debian Bug : #830726
It was discovered that multitouch devices were not being disabled by the "xtrlock" screen locking utility. xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events including pan scrolling, "pinch and zoom" or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger. For Debian 8 "Jessie", this issue has been fixed in xtrlock version 2.6+deb8u1. However, this fix does not the situation where an attacker plugs in a multitouch device *after* the screen has been locked. For more information on this, please see: https://bugs.debian.org/830726#115 We recommend that you upgrade your xtrlock packages pending a deeper fix. Regards, - -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2k3yEACgkQHpU+J9Qx HliNfw/+NmKYeWOX7PF5eKhv30fEsIBT4ON6oThRlP5TFZ+72m/diRsmyoCP/KX2 SeWVUYaKPvsRf3vFcM1z/RKhu4tnhAxeFqDULOmNc9k/NfbiN3c7y6u6zUPw5J5T x6fZ7Lz6jsXv0+iLu8OKGgwmCqB6HhlMcmNcuGRZFAVdpnEYKJ7VOrA4e9tcrOiD Z9bVrcgyR2NRPCtqf2GQMifoaKl34XjTpmQ5bEJ1vX0SELVkV84suirUBvKo5W4i zchFO4Bq0eKuvmHnzlTRlDFqezEVBC96r/ce7zc2dmFy5VRylp9+9bipLZ+eP1Ev x+iA4ToB6CT0+gUhu+ODC+07YmKM2s8c0xRJD0x37xuhJtFH1pZd26kW3eItYnnt 0Djx8mIY+3gVxpbMXtP+8da1NRqH1hKKTdOWDAN32PQUT83cxIiYtK7IpuuxKDI7 hGkVi2MY1WaYVImTZrC5gvBN8AQjYP1L3PC17zMbTXa0IIAo157YSpViWRRNEjtm dwx3y11r8noArPxcZclglBEu22QCy+GT0U1+fz8yR0JaZBXT9CxixKuJ2cxNy34A J4EUZvWrn3S0A+bcIpSHiOf+O/L5AgfGfqNKLHgnTppD6SmVlTqF4Kz1ajeKBBbK kvcNkcxVLxoSewnmLv71eqJL9/VltjMhTSXwP5okO2YZob7z934= =e4OJ -----END PGP SIGNATURE-----
