[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is a security bug?

* Jochen Striepe:

>     Hi,
>
> On 28 Nov 2005, Michelle Konzack wrote:
>> If you allow to run apps as different user on the
>> same desktop, you pick security holes in your system.
>
> Please explain that, I don't understand at all.

Trusted X applications ("trusted" in the sense that they are not
limited by the X security extension) can read screen contents,
eavesdrop keypresses (even if XGrabKeyboard is active), and send key
presses to xterms even if allowSendEvents is disabled (the default).

See <http://www.enyo.de/fw/security/notes/zwei-x-schwachstellen.html>
(German) and:

<http://lists.enyo.de/pipermail/security-announce/2005-May/000001.html>
<http://lists.enyo.de/pipermail/security-announce/2005-May/000002.html>
Reply to: