X.org vulnerability allows for locked screen to be bypassed by pressing key combination

An enterprising user has reported to seclists.org mailing list a very easy way to bypass a screen locked by a user – by merely hitting few keystrokes.

The user, going by pseudonym Gu1, has reported that by pressing Control + Alt + * (the asterisk key on the numpad) instantly kills most lock screen programs including gnome-screensaver, kscreenlocker, slock and slimlock, amongst others. Further discussion on the mailing list confirms the vulnerability and has been given a CVE id of CVE-2012-0064 by the Red Hat security team.

Further digging from the git sources indicates that all X.org server versions upwards of 1.10.99.902 seem to be affected. To test whether or not you’re affected, just lock your screen and press Ctrl + Alt + * (note: you’ll have to hit the * key on the Numeric keypad, not on numbers on top of the QWERTY row.)

If you’re on Ubuntu Oneric Ocelot, i.e, Ubuntu 11.10, then this won’t affect you since Ubuntu 11.10 runs on X.org version 1.10.4.

As a temporary workaround, commenting

interpret XF86_Ungrab {
action = Private(type=0x86, data=”Ungrab”);
};
interpret XF86_ClearGrab {
action = Private(type=0x86, data=”ClsGrb”);
};

lines from your xfree86 file ( typically found in /usr/share/X11/xkb/compat/ directory) and then running

setxkbmap $(setxkbmap -query | grep layout | awk '{print$2}')

should fix this for now.