[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#837575: marked as done (jessie-pu: package suckless-tools/40-1+deb8u1)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #837575,
regarding jessie-pu: package suckless-tools/40-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
837575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837575
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I would like to update suckless-tools in jessie in order to fix a bug in
the slock command (CVE-2016-6866).

I have contacted the Security Team about this, and they decided this
is not severe enough to warrant a DSA.

Attached is a full debdiff.

Thanks,
Ilias

[CVE-2016-6866] https://security-tracker.debian.org/tracker/CVE-2016-6866

-- 
Ilias

diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog
--- suckless-tools-40/debian/changelog	2016-02-26 13:07:26.000000000 +0200
+++ suckless-tools-40/debian/changelog	2016-09-12 17:25:07.000000000 +0300
@@ -1,3 +1,15 @@
+suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium
+
+  * CVE-2016-6866: Fix SEGV in slock when users account has been disabled.
+    The screen locking application slock called crypt(3) and used the return
+    value for strcmp(3) without checking to see if the return value of crypt(3)
+    was a NULL pointer.
+    If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+    return NULL and set errno to EINVAL. This would cause slock to segfault
+    which then leaves the machine unprotected.
+
+ -- Ilias Tsitsimpis <i.tsitsimpis@gmail.com>  Mon, 12 Sep 2016 16:17:14 +0300
+
 suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium
 
   * Set myself as the maintainer.
diff -Nru suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch
--- suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch	1970-01-01 02:00:00.000000000 +0200
+++ suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch	2016-09-12 16:09:57.000000000 +0300
@@ -0,0 +1,48 @@
+Description: Fix CVE-2016-6866
+ Fix SEGV in slock when users account has been disabled.
+ .
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ .
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+Author: Markus Teich <markus.teich@stusta.mhn.de>
+Origin: upstream, http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8
+
+Index: b/slock/slock.c
+===================================================================
+--- a/slock/slock.c
++++ b/slock/slock.c
+@@ -85,7 +85,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+-	char buf[32], passwd[256];
++	char buf[32], passwd[256], *encrypted;
+ 	int num, screen;
+ 	unsigned int len, llen;
+ 	KeySym ksym;
+@@ -118,7 +118,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ 				running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
+ #else
+-				running = strcmp(crypt(passwd, pws), pws);
++				errno = 0;
++				if (!(encrypted = crypt(passwd, pws)))
++					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++				else
++					running = !!strcmp(encrypted, pws);
+ #endif
+ 				if(running != False)
+ 					XBell(dpy, 100);
+@@ -262,6 +266,8 @@ main(int argc, char **argv) {
+ 
+ #ifndef HAVE_BSD_AUTH
+ 	pws = getpw();
++	if (strlen(pws) < 2)
++		die("slock: failed to get user password hash.\n");
+ #endif
+ 
+ 	if(!(dpy = XOpenDisplay(0)))
diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series
--- suckless-tools-40/debian/patches/series	2016-02-26 13:08:45.000000000 +0200
+++ suckless-tools-40/debian/patches/series	2016-09-12 16:01:21.000000000 +0300
@@ -4,3 +4,4 @@
 2003_transparent-makefiles.patch
 2004_use_system_searchpaths.patch
 0001_resize_lockscreen.patch
+0002_fix-cve-2016-6866.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: