繞過 Screensaver Lock 的有趣話題...

Hacker News Daily 上看到「Screensaver lock by-pass via the virtual keyboard」這篇,裡面這邊題到了 screensaver lock 的有趣話題。

先講嚴肅一點的,這個 bug 被編號為 CVE-2020-25712,問題出在 xorg-x11-server 上:

A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

比較有趣的事情是,這個 bug 是小朋友在亂玩時拉出 virtual keyboard 觸發的:

A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play... when the screensaver core dumped and they actually hacked their way in! wow, those little hackers...

然後他說他自己搞不出來:

I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard.

另外一個人也說他家小朋友也弄出 segfault 了:

My kids came upon a similar cinnamon-screensaver segfault! I've emailed details of how to reproduce the problem to root@linuxmint.com.

小朋友超強 XDDD

CVE-2018-14665:setuid 複寫檔案的 security issue...

Twitter 上看到的 security issue,好久沒在這麼普及的軟體上看到這種 bug 了:

CVE - CVE-2018-14665 的說明裡面有提到 1.20.3 前的版本都有中,但沒講到從哪個版本開始,看起來是全系列...?

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

這一臉 orz...

Ubuntu 18.04 將從 Wayland 換回 Xorg...

在「Ubuntu 18.04 LTS is Switching back to Xorg」這邊看到 Ubuntu 18.04 將要從 Wayland 換回 Xorg 的消息,只能說不意外 XDDD

Ubuntu 官方的說明在「Bionic Beaver 18.04 LTS to use Xorg by default」這邊,文章裡面給了三個理由:

  • Screen sharing in software like WebRTC services, Google Hangouts, Skype, etc works well under Xorg.
  • Remote Desktop control for example RDP & VNC works well under Xorg.
  • Recoverability from Shell crashes is less dramatic under Xorg.

講白了就是還有一堆東西有問題,看起來在 17.10 導入 Wayland 後沒搞定:

17.10, released in October 2017, ships with the Wayland based graphics server as the default and the Xorg based equivalent is available as an option from the login screen.

在 18.04 預設會用 Xorg,但系統內還是會有 Wayland 讓使用者可以選:

The Wayland session will still be available, pre-installed, for people to use, but for our ‘out of the box’ users the Ubuntu experience needs to be stable and provide the features they have come to expect and use in daily life and Xorg is the best choice here, at least for 18.04 LTS, but for 18.10 we will re-evaluate Wayland as the default.

再測個兩年吧 XD

Linux 下多點觸控的設定

看到「Multitouch gestures with libinput dirver on X11, Linux」這個專案,可以在 Linux/X11 下偵測到多點觸控,然後設定對應的按鍵,從他的設定檔就可以看到這套軟體的功能了:

swipe:
  3: 
    left: 
      shortcut: 'alt+Right'
    right: 
      shortcut: 'alt+Left'
    up: 
      shortcut: 'ctrl+t'
    down: 
      shortcut: 'ctrl+w'
  4:
    left: 
      shortcut: 'super+Right'
    right: 
      shortcut: 'super+Left'
    up: 
      shortcut: 'super+a'
    down: 
      shortcut: 'super+s'
pinch:
  in:
    shortcut: 'ctrl+plus'
  out:
     shortcut: 'ctrl+minus'

不知道實際跑起來如何 @_@