Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-15 Thread Antoine Amarilli 
Looks good to me! Thanks again for all your work on this.

Best,

-- 
Antoine Amarilli


On Wed, Oct 16, 2019 at 12:57:16AM -, Chris Lamb wrote:
> Hi Antoine,
> 
> > Looks great! There's a grammar problem "This fix does not the situation"
> > but it doesn't matter.
> 
> Whoops, fixed in:
> 
>   
> https://salsa.debian.org/debian/xtrlock/commit/e578040d4bedf81874cc2bf1c62d6643b36b527d
> 
> 
> Regards,
> 
> -- 
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
>`-


signature.asc
Description: PGP signature

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-15 Thread Chris Lamb 
Hi Antoine,

> Looks great! There's a grammar problem "This fix does not the situation"
> but it doesn't matter.

Whoops, fixed in:

  
https://salsa.debian.org/debian/xtrlock/commit/e578040d4bedf81874cc2bf1c62d6643b36b527d


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-14 Thread Antoine Amarilli 
Looks great! There's a grammar problem "This fix does not the situation"
but it doesn't matter.

Best,

-- 
Antoine Amarilli


On Mon, Oct 14, 2019 at 07:13:05PM -, Chris Lamb wrote:
> Hi Antoine,
> 
> ?
> > I see nothing, unless you mean the source code comment?
> 
> Yes, the source code comment. I've expanded the (released) changelog
> entry here:
> 
>   
> https://salsa.debian.org/debian/xtrlock/commit/34e6c7c6c33ce6b7510172a2e05e710a99fdc146
> 
> … so this visibility will be in subsequent releases at the very least.
> 
> 
> Regards,
> 
> -- 
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
>`-


signature.asc
Description: PGP signature

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-14 Thread Chris Lamb 
Hi Antoine,

?
> I see nothing, unless you mean the source code comment?

Yes, the source code comment. I've expanded the (released) changelog
entry here:

  
https://salsa.debian.org/debian/xtrlock/commit/34e6c7c6c33ce6b7510172a2e05e710a99fdc146

… so this visibility will be in subsequent releases at the very least.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-14 Thread Antoine Amarilli 
Hi Chris,

On Sat, Oct 12, 2019 at 07:13:05PM -, Chris Lamb wrote:
> > Thanks for fixing this and pushing it! Is the final fix also supposed to
> > address the case of an attacker plugging in a new USB multitouch device?
> 
> Alas not; I received no input from upstream after repeated pings so I
> pushed ahead.

Alright -- too bad.

> > If the latter -- should this be pointed out as a known limitation or
> > vulnerability of the package?
> 
> Indeed. I did write that here:
> 
>   
> https://salsa.debian.org/debian/xtrlock/commit/0254c8652b415263bebadbe1413e71b9ec12e741.diff
> 
> ... but I would concede that is not very visible.

Sorry I'm not too sure of what you mean, what is it that you wrote about
known limitations in
?
I see nothing, unless you mean the source code comment?

In principle I would think there ought to be some kind of record
(besides the discussion on this bug report) that the problem isn't
really fixed. But to be honest I don't care too much personally as I'm
migrating from X to wayland so phasing out xtrlock on my machines. And
it's already great you could push out that fix which addresses most of
the concerns.

Best,

-- 
Antoine Amarilli



signature.asc
Description: PGP signature

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-12 Thread Chris Lamb 
Hi Antoine,

> Thanks for fixing this and pushing it! Is the final fix also supposed to
> address the case of an attacker plugging in a new USB multitouch device?

Alas not; I received no input from upstream after repeated pings so I
pushed ahead.

> If the latter -- should this be pointed out as a known limitation or
> vulnerability of the package?

Indeed. I did write that here:

  
https://salsa.debian.org/debian/xtrlock/commit/0254c8652b415263bebadbe1413e71b9ec12e741.diff

... but I would concede that is not very visible. I think I was
subconciously hoping that a deeper fix will be forthcoming.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org 🍥 chris-lamb.co.uk
   `-

Bug#830726: closed by Chris Lamb (Bug#830726: fixed in xtrlock 2.12)

2019-10-12 Thread Antoine Amarilli 
Hi Chris,

Thanks for fixing this and pushing it! Is the final fix also supposed to
address the case of an attacker plugging in a new USB multitouch device?
or is it just the latest patch I had tested (with the weird quirks when
a new device appears)?

If the latter -- should this be pointed out as a known limitation or
vulnerability of the package?

Best,

-- 
Antoine Amarilli



On Fri, Oct 11, 2019 at 07:57:03PM +, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the xtrlock package:
> 
> #830726: xtrlock: CVE-2016-10894: xtrlock does not block multitouch events
> 
> It has been closed by Chris Lamb .
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Chris Lamb 
>  by
> replying to this email.
> 
> 
> -- 
> 830726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830726
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems

> Date: Fri, 11 Oct 2019 19:52:58 +
> From: Chris Lamb 
> To: 830726-cl...@bugs.debian.org
> Subject: Bug#830726: fixed in xtrlock 2.12
> Message-Id: 
> 
> Source: xtrlock
> Source-Version: 2.12
> 
> We believe that the bug you reported is fixed in the latest version of
> xtrlock, which is due to be installed in the Debian FTP archive.
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 830...@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Chris Lamb  (supplier of updated xtrlock package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmas...@ftp-master.debian.org)
> 
> 
> Format: 1.8
> Date: Fri, 11 Oct 2019 12:41:39 -0700
> Source: xtrlock
> Architecture: source
> Version: 2.12
> Distribution: unstable
> Urgency: medium
> Maintainer: Matthew Vernon 
> Changed-By: Chris Lamb 
> Closes: 830726
> Changes:
>  xtrlock (2.12) unstable; urgency=medium
>  .
>* CVE-2016-10894: Attempt to grab multitouch devices which are not
>  intercepted via XGrabPointer. (Closes: #830726)
>* Bump Standards-Version to 4.4.1.
> Checksums-Sha1:
>  9a78849e65046057a84e060b9f2c03a571de6fb8 1602 xtrlock_2.12.dsc
>  90fde89622bd85ad2454de1308b10499b66f00e3 20620 xtrlock_2.12.tar.xz
>  4e69677968fc27410bed3b0b54a0945c65a9948f 6187 xtrlock_2.12_amd64.buildinfo
> Checksums-Sha256:
>  21c9bb1a25121afc7adbd1e96694a8390544e09437d296e83a96b6245f88aa7f 1602 
> xtrlock_2.12.dsc
>  13b634dc6c23a35386e683163d2b8be76de2229e1cd7fb82517cb8e388e278ba 20620 
> xtrlock_2.12.tar.xz
>  f645e51a15122f1767f25d2580bab930aa248740be79d9a941caf674c9f3207a 6187 
> xtrlock_2.12_amd64.buildinfo
> Files:
>  5966c685ad31b3b00fa85d674c490eb7 1602 x11 optional xtrlock_2.12.dsc
>  49adf9b39eed6ea717462f5171da5a30 20620 x11 optional xtrlock_2.12.tar.xz
>  79be2ba64b7d7d76096b3028a2aacc88 6187 x11 optional 
> xtrlock_2.12_amd64.buildinfo
> 

> Date: Sun, 10 Jul 2016 16:18:41 -0400
> From: Antoine Amarilli 
> To: Debian Bug Tracking System 
> Subject: xtrlock does not block multitouch events
> Message-ID: <146818192189.12824.5554238893763808868.report...@gamma.a3nm.net>
> X-Mailer: reportbug 6.6.6
> 
> Package: xtrlock
> Version: 2.8
> Severity: normal
> Tags: upstream
> 
> Dear Maintainer,
> 
> xtrlock appears not to block multitouch events when the session is locked, so
> that any user stumbling upon a locked session can still input multitouch 
> events.
> 
> One could imagine that this could constitute a security vulnerability 
> (requiring
> physical access to the machine).
> 
> Steps to reproduce (on a computer with a suitably configured touchscreen):
> 
> 1. Open chromium (my example of a program that processes multitouch events) 
> and
> put it in fullscreen mode.
> 2. Check that you can pinch and zoom (put two fingers of the screen and move
> them closer or further apart to change the zoom level).
> 3. Run xtrlock to lock the session.
> 4. With xtrlock running, put one finger on the screen and leave it there (the
> mouse pointer with the xtrlock lock icon follows that finger). While doing 
> this,
> perform the pinch and zoom with two other fingers.
> 
> Observed result:
> 
> The pinch and zoom is taken into account by chromium even though the session 
> is
> locked.
> 
> Expected result:
> 
> The event should not be seen by chromium while the session is locked.
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers testing
>   APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cor