Bug#816033: jessie-pu: package suckless-tools/40-1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I would like to update suckless-tools in jessie in order to fix a bug in
the slock command. Slock is a simple X display locker.
Recently, slock v1.3 was released and it fixes a bug that can be
considered security related. More specifically, the cover window would
not resize correctly when new screens were added or the resolution was
changed while the lock was active, leading to a part of the screen
beings visible (information leakage). The upstream patch that fixes the
above bug can be found here[1].
I contacted the Security Team about this, and they decided this is
not severe enough to warrant a DSA.
Attached is a full debdiff.
Thanks,
Ilias
[1] http://git.suckless.org/slock/commit/?id=f5ef1b8eb5555da1
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog
--- suckless-tools-40/debian/changelog 2013-09-15 20:03:11.000000000 +0300
+++ suckless-tools-40/debian/changelog 2016-02-26 13:07:26.000000000 +0200
@@ -1,3 +1,14 @@
+suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium
+
+ * Set myself as the maintainer.
+ Package has already been adopted in unstable (ITA: #776482).
+ * Patch slock to properly resize the cover window.
+ The cover window now resizes correctly when new screens are added
+ or the resolution is changed while the lock is active.
+ * Add libxrandr-dev to build dependencies (needed by the above patch).
+
+ -- Ilias Tsitsimpis <i.tsitsimpis@gmail.com> Fri, 26 Feb 2016 13:05:03 +0200
+
suckless-tools (40-1) unstable; urgency=low
* Suggest surf which can be used with tabbed.
diff -Nru suckless-tools-40/debian/control suckless-tools-40/debian/control
--- suckless-tools-40/debian/control 2013-06-23 12:30:20.000000000 +0300
+++ suckless-tools-40/debian/control 2016-02-26 13:04:11.000000000 +0200
@@ -1,8 +1,7 @@
Source: suckless-tools
Section: x11
Priority: optional
-Maintainer: Vasudev Kamath <kamathvasudev@gmail.com>
-Uploaders: Michael Stummvoll <michael@stummi.org>
+Maintainer: Ilias Tsitsimpis <i.tsitsimpis@gmail.com>
Build-Depends: debhelper (>= 9),
libx11-dev,
libxinerama-dev,
@@ -10,6 +9,7 @@
dpkg-dev (>= 1.16.1.1),
libxss-dev,
libxft-dev,
+ libxrandr-dev,
libfreetype6-dev
Standards-Version: 3.9.4
Homepage: http://www.suckless.org
diff -Nru suckless-tools-40/debian/patches/0001_resize_lockscreen.patch suckless-tools-40/debian/patches/0001_resize_lockscreen.patch
--- suckless-tools-40/debian/patches/0001_resize_lockscreen.patch 1970-01-01 02:00:00.000000000 +0200
+++ suckless-tools-40/debian/patches/0001_resize_lockscreen.patch 2016-02-26 13:22:15.000000000 +0200
@@ -0,0 +1,76 @@
+Description: Patch slock to correctly resize the cover window
+ Resize the cover window when new screens are added or the resolution is
+ changed while the lock is active. This prevents potential information leakage.
+Author: Markus Teich <markus.teich@stusta.mhn.de>
+Orig: upstream, http://git.suckless.org/slock/commit/?id=f5ef1b8eb555
+
+Index: suckless-tools-40/slock/config.mk
+===================================================================
+--- suckless-tools-40.orig/slock/config.mk
++++ suckless-tools-40/slock/config.mk
+@@ -7,7 +7,7 @@ VERSION = 1.1
+ PREFIX = /usr/local
+
+ # includes and libs
+-LIBS = -lc -lcrypt -lX11 -lXext
++LIBS = -lc -lcrypt -lX11 -lXext -lXrandr
+
+ # flags
+ CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H -DCOLOR1=\"black\" -DCOLOR2=\"\#005577\"
+Index: suckless-tools-40/slock/slock.c
+===================================================================
+--- suckless-tools-40.orig/slock/slock.c
++++ suckless-tools-40/slock/slock.c
+@@ -14,6 +14,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <X11/extensions/Xrandr.h>
+ #include <X11/keysym.h>
+ #include <X11/Xlib.h>
+ #include <X11/Xutil.h>
+@@ -33,6 +34,9 @@ typedef struct {
+ static Lock **locks;
+ static int nscreens;
+ static Bool running = True;
++static Bool rr;
++static int rrevbase;
++static int rrerrbase;
+
+ static void
+ die(const char *errstr, ...) {
+@@ -146,8 +150,15 @@ readpw(Display *dpy, const char *pws)
+ }
+ }
+ llen = len;
+- }
+- else for(screen = 0; screen < nscreens; screen++)
++ } else if (rr && ev.type == rrevbase + RRScreenChangeNotify) {
++ XRRScreenChangeNotifyEvent *rre = (XRRScreenChangeNotifyEvent*)&ev;
++ for (screen = 0; screen < nscreens; screen++) {
++ if (locks[screen]->win == rre->window) {
++ XResizeWindow(dpy, locks[screen]->win, rre->width, rre->height);
++ XClearWindow(dpy, locks[screen]->win);
++ }
++ }
++ } else for (screen = 0; screen < nscreens; screen++)
+ XRaiseWindow(dpy, locks[screen]->win);
+ }
+ }
+@@ -199,6 +210,8 @@ lockscreen(Display *dpy, int screen) {
+ invisible = XCreatePixmapCursor(dpy, lock->pmap, lock->pmap, &color, &color, 0, 0);
+ XDefineCursor(dpy, lock->win, invisible);
+ XMapRaised(dpy, lock->win);
++ if (rr)
++ XRRSelectInput(dpy, lock->win, RRScreenChangeNotifyMask);
+ for(len = 1000; len; len--) {
+ if(XGrabPointer(dpy, lock->root, False, ButtonPressMask | ButtonReleaseMask | PointerMotionMask,
+ GrabModeAsync, GrabModeAsync, None, invisible, CurrentTime) == GrabSuccess)
+@@ -253,6 +266,7 @@ main(int argc, char **argv) {
+
+ if(!(dpy = XOpenDisplay(0)))
+ die("slock: cannot open display");
++ rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase);
+ /* Get the number of screens in display "dpy" and blank them all. */
+ nscreens = ScreenCount(dpy);
+ locks = malloc(sizeof(Lock *) * nscreens);
diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series
--- suckless-tools-40/debian/patches/series 2013-09-15 19:58:13.000000000 +0300
+++ suckless-tools-40/debian/patches/series 2016-02-26 13:08:45.000000000 +0200
@@ -3,3 +3,4 @@
2002_dpkg_buildflags.patch
2003_transparent-makefiles.patch
2004_use_system_searchpaths.patch
+0001_resize_lockscreen.patch
Reply to: