Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <[email protected]>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #837575,
regarding jessie-pu: package suckless-tools/40-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
837575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837575
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Dear Release Team,
I would like to update suckless-tools in jessie in order to fix a bug in
the slock command (CVE-2016-6866).
I have contacted the Security Team about this, and they decided this
is not severe enough to warrant a DSA.
Attached is a full debdiff.
Thanks,
Ilias
[CVE-2016-6866] https://security-tracker.debian.org/tracker/CVE-2016-6866
--
Ilias
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog
--- suckless-tools-40/debian/changelog 2016-02-26 13:07:26.000000000 +0200
+++ suckless-tools-40/debian/changelog 2016-09-12 17:25:07.000000000 +0300
@@ -1,3 +1,15 @@
+suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium
+
+ * CVE-2016-6866: Fix SEGV in slock when users account has been disabled.
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+
+ -- Ilias Tsitsimpis <[email protected]> Mon, 12 Sep 2016 16:17:14 +0300
+
suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium
* Set myself as the maintainer.
diff -Nru suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch
--- suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 1970-01-01 02:00:00.000000000 +0200
+++ suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch 2016-09-12 16:09:57.000000000 +0300
@@ -0,0 +1,48 @@
+Description: Fix CVE-2016-6866
+ Fix SEGV in slock when users account has been disabled.
+ .
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ .
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+Author: Markus Teich <[email protected]>
+Origin: upstream, http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8
+
+Index: b/slock/slock.c
+===================================================================
+--- a/slock/slock.c
++++ b/slock/slock.c
+@@ -85,7 +85,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+- char buf[32], passwd[256];
++ char buf[32], passwd[256], *encrypted;
+ int num, screen;
+ unsigned int len, llen;
+ KeySym ksym;
+@@ -118,7 +118,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
+ #else
+- running = strcmp(crypt(passwd, pws), pws);
++ errno = 0;
++ if (!(encrypted = crypt(passwd, pws)))
++ fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++ else
++ running = !!strcmp(encrypted, pws);
+ #endif
+ if(running != False)
+ XBell(dpy, 100);
+@@ -262,6 +266,8 @@ main(int argc, char **argv) {
+
+ #ifndef HAVE_BSD_AUTH
+ pws = getpw();
++ if (strlen(pws) < 2)
++ die("slock: failed to get user password hash.\n");
+ #endif
+
+ if(!(dpy = XOpenDisplay(0)))
diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series
--- suckless-tools-40/debian/patches/series 2016-02-26 13:08:45.000000000 +0200
+++ suckless-tools-40/debian/patches/series 2016-09-12 16:01:21.000000000 +0300
@@ -4,3 +4,4 @@
2003_transparent-makefiles.patch
2004_use_system_searchpaths.patch
0001_resize_lockscreen.patch
+0002_fix-cve-2016-6866.patch
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
