Bug#837575: jessie-pu: package suckless-tools/40-1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I would like to update suckless-tools in jessie in order to fix a bug in
the slock command (CVE-2016-6866).
I have contacted the Security Team about this, and they decided this
is not severe enough to warrant a DSA.
Attached is a full debdiff.
Thanks,
Ilias
[CVE-2016-6866] https://security-tracker.debian.org/tracker/CVE-2016-6866
--
Ilias
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog
--- suckless-tools-40/debian/changelog 2016-02-26 13:07:26.000000000 +0200
+++ suckless-tools-40/debian/changelog 2016-09-12 17:25:07.000000000 +0300
@@ -1,3 +1,15 @@
+suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium
+
+ * CVE-2016-6866: Fix SEGV in slock when users account has been disabled.
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+
+ -- Ilias Tsitsimpis <i.tsitsimpis@gmail.com> Mon, 12 Sep 2016 16:17:14 +0300
+
suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium
* Set myself as the maintainer.
diff -Nru suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch
--- suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 1970-01-01 02:00:00.000000000 +0200
+++ suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 2016-09-12 16:09:57.000000000 +0300
@@ -0,0 +1,48 @@
+Description: Fix CVE-2016-6866
+ Fix SEGV in slock when users account has been disabled.
+ .
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ .
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+Author: Markus Teich <markus.teich@stusta.mhn.de>
+Origin: upstream, http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8
+
+Index: b/slock/slock.c
+===================================================================
+--- a/slock/slock.c
++++ b/slock/slock.c
+@@ -85,7 +85,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+- char buf[32], passwd[256];
++ char buf[32], passwd[256], *encrypted;
+ int num, screen;
+ unsigned int len, llen;
+ KeySym ksym;
+@@ -118,7 +118,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
+ #else
+- running = strcmp(crypt(passwd, pws), pws);
++ errno = 0;
++ if (!(encrypted = crypt(passwd, pws)))
++ fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++ else
++ running = !!strcmp(encrypted, pws);
+ #endif
+ if(running != False)
+ XBell(dpy, 100);
+@@ -262,6 +266,8 @@ main(int argc, char **argv) {
+
+ #ifndef HAVE_BSD_AUTH
+ pws = getpw();
++ if (strlen(pws) < 2)
++ die("slock: failed to get user password hash.\n");
+ #endif
+
+ if(!(dpy = XOpenDisplay(0)))
diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series
--- suckless-tools-40/debian/patches/series 2016-02-26 13:08:45.000000000 +0200
+++ suckless-tools-40/debian/patches/series 2016-09-12 16:01:21.000000000 +0300
@@ -4,3 +4,4 @@
2003_transparent-makefiles.patch
2004_use_system_searchpaths.patch
0001_resize_lockscreen.patch
+0002_fix-cve-2016-6866.patch
Reply to: