Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Dear Release Team, I would like to update suckless-tools in jessie in order to fix a bug in the slock command. Slock is a simple X display locker. Recently, slock v1.3 was released and it fixes a bug that can be considered security related. More specifically, the cover window would not resize correctly when new screens were added or the resolution was changed while the lock was active, leading to a part of the screen beings visible (information leakage). The upstream patch that fixes the above bug can be found here[1]. I contacted the Security Team about this, and they decided this is not severe enough to warrant a DSA. Attached is a full debdiff. Thanks, Ilias [1] http://git.suckless.org/slock/commit/?id=f5ef1b8eb5555da1
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog --- suckless-tools-40/debian/changelog 2013-09-15 20:03:11.000000000 +0300 +++ suckless-tools-40/debian/changelog 2016-02-26 13:07:26.000000000 +0200 @@ -1,3 +1,14 @@ +suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium + + * Set myself as the maintainer. + Package has already been adopted in unstable (ITA: #776482). + * Patch slock to properly resize the cover window. + The cover window now resizes correctly when new screens are added + or the resolution is changed while the lock is active. + * Add libxrandr-dev to build dependencies (needed by the above patch). + + -- Ilias Tsitsimpis <[email protected]> Fri, 26 Feb 2016 13:05:03 +0200 + suckless-tools (40-1) unstable; urgency=low * Suggest surf which can be used with tabbed. diff -Nru suckless-tools-40/debian/control suckless-tools-40/debian/control --- suckless-tools-40/debian/control 2013-06-23 12:30:20.000000000 +0300 +++ suckless-tools-40/debian/control 2016-02-26 13:04:11.000000000 +0200 @@ -1,8 +1,7 @@ Source: suckless-tools Section: x11 Priority: optional -Maintainer: Vasudev Kamath <[email protected]> -Uploaders: Michael Stummvoll <[email protected]> +Maintainer: Ilias Tsitsimpis <[email protected]> Build-Depends: debhelper (>= 9), libx11-dev, libxinerama-dev, @@ -10,6 +9,7 @@ dpkg-dev (>= 1.16.1.1), libxss-dev, libxft-dev, + libxrandr-dev, libfreetype6-dev Standards-Version: 3.9.4 Homepage: http://www.suckless.org diff -Nru suckless-tools-40/debian/patches/0001_resize_lockscreen.patch suckless-tools-40/debian/patches/0001_resize_lockscreen.patch --- suckless-tools-40/debian/patches/0001_resize_lockscreen.patch 1970-01-01 02:00:00.000000000 +0200 +++ suckless-tools-40/debian/patches/0001_resize_lockscreen.patch 2016-02-26 13:22:15.000000000 +0200 @@ -0,0 +1,76 @@ +Description: Patch slock to correctly resize the cover window + Resize the cover window when new screens are added or the resolution is + changed while the lock is active. This prevents potential information leakage. +Author: Markus Teich <[email protected]> +Orig: upstream, http://git.suckless.org/slock/commit/?id=f5ef1b8eb555 + +Index: suckless-tools-40/slock/config.mk +=================================================================== +--- suckless-tools-40.orig/slock/config.mk ++++ suckless-tools-40/slock/config.mk +@@ -7,7 +7,7 @@ VERSION = 1.1 + PREFIX = /usr/local + + # includes and libs +-LIBS = -lc -lcrypt -lX11 -lXext ++LIBS = -lc -lcrypt -lX11 -lXext -lXrandr + + # flags + CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H -DCOLOR1=\"black\" -DCOLOR2=\"\#005577\" +Index: suckless-tools-40/slock/slock.c +=================================================================== +--- suckless-tools-40.orig/slock/slock.c ++++ suckless-tools-40/slock/slock.c +@@ -14,6 +14,7 @@ + #include <string.h> + #include <unistd.h> + #include <sys/types.h> ++#include <X11/extensions/Xrandr.h> + #include <X11/keysym.h> + #include <X11/Xlib.h> + #include <X11/Xutil.h> +@@ -33,6 +34,9 @@ typedef struct { + static Lock **locks; + static int nscreens; + static Bool running = True; ++static Bool rr; ++static int rrevbase; ++static int rrerrbase; + + static void + die(const char *errstr, ...) { +@@ -146,8 +150,15 @@ readpw(Display *dpy, const char *pws) + } + } + llen = len; +- } +- else for(screen = 0; screen < nscreens; screen++) ++ } else if (rr && ev.type == rrevbase + RRScreenChangeNotify) { ++ XRRScreenChangeNotifyEvent *rre = (XRRScreenChangeNotifyEvent*)&ev; ++ for (screen = 0; screen < nscreens; screen++) { ++ if (locks[screen]->win == rre->window) { ++ XResizeWindow(dpy, locks[screen]->win, rre->width, rre->height); ++ XClearWindow(dpy, locks[screen]->win); ++ } ++ } ++ } else for (screen = 0; screen < nscreens; screen++) + XRaiseWindow(dpy, locks[screen]->win); + } + } +@@ -199,6 +210,8 @@ lockscreen(Display *dpy, int screen) { + invisible = XCreatePixmapCursor(dpy, lock->pmap, lock->pmap, &color, &color, 0, 0); + XDefineCursor(dpy, lock->win, invisible); + XMapRaised(dpy, lock->win); ++ if (rr) ++ XRRSelectInput(dpy, lock->win, RRScreenChangeNotifyMask); + for(len = 1000; len; len--) { + if(XGrabPointer(dpy, lock->root, False, ButtonPressMask | ButtonReleaseMask | PointerMotionMask, + GrabModeAsync, GrabModeAsync, None, invisible, CurrentTime) == GrabSuccess) +@@ -253,6 +266,7 @@ main(int argc, char **argv) { + + if(!(dpy = XOpenDisplay(0))) + die("slock: cannot open display"); ++ rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase); + /* Get the number of screens in display "dpy" and blank them all. */ + nscreens = ScreenCount(dpy); + locks = malloc(sizeof(Lock *) * nscreens); diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series --- suckless-tools-40/debian/patches/series 2013-09-15 19:58:13.000000000 +0300 +++ suckless-tools-40/debian/patches/series 2016-02-26 13:08:45.000000000 +0200 @@ -3,3 +3,4 @@ 2002_dpkg_buildflags.patch 2003_transparent-makefiles.patch 2004_use_system_searchpaths.patch +0001_resize_lockscreen.patch
