On Tue, Jul 18, 2017 at 02:18:57PM +0300, Vadim Zhukov wrote: > 2017-07-17 22:11 GMT+03:00 Michael Reed <mich...@michaelreed.io>: > > The attached patch updates x11/slock to version 1.4, which > > includes a fix for CVE-2016-6866 [1]. > > > > IMPORTANT: > > To make slock work in this version, I needed to change the > > install permissions of /usr/local/bin/slock from g+s to u+s. > > I don't know much about priv-dropping, UIDs, EUIDs, and all > > that stuff to know if that was actually a good idea, so any > > advice would be helpful. > > In this version the upstream dropped support for BSD authentication. > This will bite: a) YP users (including those who use ypldap); b) users > of non-passwd auth styles. > > I'd rather backport the fix from upstream: > http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8a246d78cb488a0068954b46fcb29
Note that this commit only affects the !HAVE_BSD_AUTH codepath that our port doesn't use, so I think there's nothing to do in this regard. Also, we don't need the backport of http://git.suckless.org/slock/commit/?id=35633d45672d14bd798c478c45d1a17064701aa9 since we already did that in a local patch (a bit differently though).
