On 2017/07/18 13:39, Theo Buehler wrote: > On Tue, Jul 18, 2017 at 02:18:57PM +0300, Vadim Zhukov wrote: > > 2017-07-17 22:11 GMT+03:00 Michael Reed <mich...@michaelreed.io>: > > > The attached patch updates x11/slock to version 1.4, which > > > includes a fix for CVE-2016-6866 [1]. > > > > > > IMPORTANT: > > > To make slock work in this version, I needed to change the > > > install permissions of /usr/local/bin/slock from g+s to u+s. > > > I don't know much about priv-dropping, UIDs, EUIDs, and all > > > that stuff to know if that was actually a good idea, so any > > > advice would be helpful. > > > > In this version the upstream dropped support for BSD authentication. > > This will bite: a) YP users (including those who use ypldap); b) users > > of non-passwd auth styles. > > > > I'd rather backport the fix from upstream: > > http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8a246d78cb488a0068954b46fcb29 > > Note that this commit only affects the !HAVE_BSD_AUTH codepath that our > port doesn't use, so I think there's nothing to do in this regard.
Nothing code-wise to do, but adding a comment to the Makefile explaining this would make sense. > Also, we don't need the backport of > http://git.suckless.org/slock/commit/?id=35633d45672d14bd798c478c45d1a17064701aa9 > since we already did that in a local patch (a bit differently though). It's often worth updating to the committed version to make future updates easier, but dropping bsd-auth makes that a non-issue anyway :)