Version in base suite: 2.8

Base version: xtrlock_2.8
Target version: xtrlock_2.8+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xtrlock/xtrlock_2.8.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xtrlock/xtrlock_2.8+deb10u1.dsc

 Imakefile        |    2 -
 debian/changelog |   17 +++++++++++++
 debian/control   |    2 -
 debian/rules     |    2 -
 xtrlock.c        |   71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 91 insertions(+), 3 deletions(-)

diff -Nru xtrlock-2.8/Imakefile xtrlock-2.8+deb10u1/Imakefile
--- xtrlock-2.8/Imakefile	1997-10-22 10:33:47.000000000 +0000
+++ xtrlock-2.8+deb10u1/Imakefile	2020-01-16 16:00:52.000000000 +0000
@@ -12,6 +12,6 @@
 #! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #! GNU General Public License for more details.
 
-SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11,)
+SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11 -lXi,)
 InstallProgram(xtrlock,$(BINDIR))
 InstallManPage(xtrlock,$(MANDIR))
diff -Nru xtrlock-2.8/debian/changelog xtrlock-2.8+deb10u1/debian/changelog
--- xtrlock-2.8/debian/changelog	2016-05-21 18:08:12.000000000 +0000
+++ xtrlock-2.8+deb10u1/debian/changelog	2020-01-16 16:00:52.000000000 +0000
@@ -1,3 +1,20 @@
+xtrlock (2.8+deb10u1) buster; urgency=high
+
+  * CVE-2016-10894: Attempt to grab multitouch devices which are not
+    intercepted via XGrabPointer.
+
+    xtrlock did not block multitouch events so an attacker could still input
+    and thus control various programs such as Chromium, etc. via so-called
+    "multitouch" events such as pan scrolling, "pinch and zoom", or even being
+    able to provide regular mouse clicks by depressing the touchpad once and
+    then clicking with a secondary finger.
+
+    This fix does not the situation where Eve plugs in a multitouch device
+    *after* the screen has been locked. For more information on this angle,
+    please see <https://bugs.debian.org/830726#115>. (Closes: #830726)
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 16 Jan 2020 16:00:52 +0000
+
 xtrlock (2.8) unstable; urgency=low
 
   * patch from Simon Tatham to add a -f option [fork, and return success
diff -Nru xtrlock-2.8/debian/control xtrlock-2.8+deb10u1/debian/control
--- xtrlock-2.8/debian/control	2014-01-07 14:26:09.000000000 +0000
+++ xtrlock-2.8+deb10u1/debian/control	2020-01-16 16:00:52.000000000 +0000
@@ -2,7 +2,7 @@
 Maintainer: Matthew Vernon <matthew@debian.org>
 Section: x11
 Priority: optional
-Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 1.16.1~)
+Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 1.16.1~), libxi-dev
 Standards-Version: 3.9.1
 
 Package: xtrlock
diff -Nru xtrlock-2.8/debian/rules xtrlock-2.8+deb10u1/debian/rules
--- xtrlock-2.8/debian/rules	2015-03-07 22:34:07.000000000 +0000
+++ xtrlock-2.8+deb10u1/debian/rules	2020-01-16 16:00:52.000000000 +0000
@@ -11,7 +11,7 @@
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 include /usr/share/dpkg/buildflags.mk
 
-CFLAGS+=-DSHADOW_PWD
+CFLAGS+=-DSHADOW_PWD -DMULTITOUCH
 
 build:
 	$(checkdir)
diff -Nru xtrlock-2.8/xtrlock.c xtrlock-2.8+deb10u1/xtrlock.c
--- xtrlock-2.8/xtrlock.c	2016-05-21 18:03:35.000000000 +0000
+++ xtrlock-2.8+deb10u1/xtrlock.c	2020-01-16 16:00:52.000000000 +0000
@@ -41,6 +41,11 @@
 #include <shadow.h>
 #endif
 
+#ifdef MULTITOUCH
+#include <X11/extensions/XInput.h>
+#include <X11/extensions/XInput2.h>
+#endif
+
 #include "lock.bitmap"
 #include "mask.bitmap"
 #include "patchlevel.h"
@@ -71,6 +76,34 @@
 #endif
 }
 
+#if MULTITOUCH
+XIEventMask evmask;
+
+/* (Optimistically) attempt to grab multitouch devices which are not
+ * intercepted via XGrabPointer. */
+void handle_multitouch(Cursor cursor) {
+  XIDeviceInfo *info;
+  int xi_ndevices;
+
+  info = XIQueryDevice(display, XIAllDevices, &xi_ndevices);
+
+  int i;
+  for (i = 0; i < xi_ndevices; i++) {
+    XIDeviceInfo *dev = &info[i];
+
+    int j;
+    for (j = 0; j < dev->num_classes; j++) {
+      if (dev->classes[j]->type == XITouchClass &&
+          dev->use == XISlavePointer) {
+        XIGrabDevice(display, dev->deviceid, window, CurrentTime, cursor,
+                     GrabModeAsync, GrabModeAsync, False, &evmask);
+      }
+    }
+  }
+  XIFreeDeviceInfo(info);
+}
+#endif
+
 int main(int argc, char **argv){
   XEvent ev;
   KeySym ks;
@@ -132,7 +165,32 @@
 	    program_version);
     exit(1);
   }
+
+#ifdef MULTITOUCH
+  unsigned char mask[XIMaskLen(XI_LASTEVENT)];
+  int xi_major = 2, xi_minor = 2, xi_opcode, xi_error, xi_event;
+
+  if (!XQueryExtension(display, INAME, &xi_opcode, &xi_event, &xi_error)) {
+    fprintf(stderr, "xtrlock (version %s): No X Input extension\n",
+            program_version);
+    exit(1);
+  }
   
+  if (XIQueryVersion(display, &xi_major, &xi_minor) != Success ||
+      xi_major * 10 + xi_minor < 22) {
+    fprintf(stderr,"xtrlock (version %s): Need XI 2.2\n",
+            program_version);
+    exit(1);
+  }
+
+  evmask.mask = mask;
+  evmask.mask_len = sizeof(mask);
+  memset(mask, 0, sizeof(mask));
+  evmask.deviceid = XIAllDevices;
+  XISetMask(mask, XI_HierarchyChanged);
+  XISelectEvents(display, DefaultRootWindow(display), &evmask, 1);
+#endif
+
   attrib.override_redirect= True;
 
   if (blank) {
@@ -227,6 +285,10 @@
     }
   }
 
+#ifdef MULTITOUCH
+  handle_multitouch(cursor);
+#endif
+
   for (;;) {
     XNextEvent(display,&ev);
     switch (ev.type) {
@@ -265,6 +327,15 @@
         break;
       }
       break;
+#if MULTITOUCH
+    case GenericEvent:
+      if (ev.xcookie.extension == xi_opcode &&
+          XGetEventData(display,&ev.xcookie) &&
+          ev.xcookie.evtype == XI_HierarchyChanged) {
+        handle_multitouch(cursor);
+      }
+      break;
+#endif
     default:
       break;
     }