[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 598-1] suckless-tools security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : suckless-tools
Version        : 38-2+deb7u1
CVE ID         : CVE-2016-6866

It was discovered that the slock screen locking tool would segfault when the
user's account had been disabled.

slock called crypt(3) and used the return value for strcmp(3) without checking
to see if the return value of crypt(3) was a NULL pointer. If the hash returned
by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno
to EINVAL. This would cause slock to segfault which leaves the machine
unprotected.

For Debian 7 "Wheezy", this issue has been fixed in suckless-tools version
38-2+deb7u1.

We recommend that you upgrade your suckless-tools packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXuGzHAAoJEB6VPifUMR5Y+WMP/1LVextAHxphiDGQisAPkm3z
SAbXV/jy21AVduhBkhAXgULQAalHWgzNvxDcuqa0eSCZ/onVRN/4oA+Xb78sDQbu
q2d51NFEieMX2MbtwuL6YhDjJ6ofka/J5+YWBb/4tPZTsOrteohf3SwKkkFWynwY
m42Te0evvqAcVsc3ZKcKebx5SaMCearPdygNE3um39x0QZflyxS3v5tihkGq/PB8
2bKOQdFMf0ooitSsX9mmpRsOyC3oYC+1cK47oJeRqnkfB/NC4X4Vj5rjNcQFmNyd
nULrX8DwxljQxA/Wo+JOj9W8hs9gPbOjEIvkkJAcCK2Byz1KcyDOzGALmYqSRr7m
uJ1D6zHG3AHVwy2cM/MESAE6wi2vyGa4BUisSOczgubMIgL+nVA4N7U1mYpgIahX
KEaxDyuxx5Avmy8EHOyImCdkzG8/AYHsXNbjEwRD/pCfgxBDD4HMEx9Ov4z1DULn
x64wDPkGZXZExNH1YFCqSwcc6Drrg5ccKjCSAWvfXxuUX/NZKD1CS650UD5wqTjq
QIJVITwyKZGQkQpHqLVAwl5snqMJxTa4oGyLNb7HGBgnG84QPAm8DNLeVeiTeOMw
BZ9E/lXeYmCY8lQGHYKq0a2JMJVm5A1QBK8isCn1dxF2NDwlEkAiY5EtT7R/bgRx
pVRqNIHCIOgGx3+Z3G6A
=ThLN
-----END PGP SIGNATURE-----


Reply to: