Changelog
xtrlock (2.8+deb9u1) stretch; urgency=high
* CVE-2016-10894: Attempt to grab multitouch devices which are not
intercepted via XGrabPointer.
xtrlock did not block multitouch events so an attacker could still input
and thus control various programs such as Chromium, etc. via so-called
"multitouch" events such as pan scrolling, "pinch and zoom", or even being
able to provide regular mouse clicks by depressing the touchpad once and
then clicking with a secondary finger.
This fix does not the situation where Eve plugs in a multitouch device
*after* the screen has been locked. For more information on this angle,
please see <https://bugs.debian.org/830726#115>. (Closes: #830726)
-- Chris Lamb <email address hidden> Thu, 16 Jan 2020 16:00:52 +0000