Bug#837575: jessie-pu: package suckless-tools/40-1+deb8u1

2016-09-19 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2016-09-17 at 22:20 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2016-09-12 at 17:40 +0300, Ilias Tsitsimpis wrote:
> 
> > I would like to update suckless-tools in jessie in order to fix a bug in
> > the slock command (CVE-2016-6866).
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#837575: jessie-pu: package suckless-tools/40-1+deb8u1

2016-09-17 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2016-09-12 at 17:40 +0300, Ilias Tsitsimpis wrote:

> I would like to update suckless-tools in jessie in order to fix a bug in
> the slock command (CVE-2016-6866).

Please go ahead.

Regards,

Adam

Bug#837575: jessie-pu: package suckless-tools/40-1+deb8u1

2016-09-12 Thread Ilias Tsitsimpis 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I would like to update suckless-tools in jessie in order to fix a bug in
the slock command (CVE-2016-6866).

I have contacted the Security Team about this, and they decided this
is not severe enough to warrant a DSA.

Attached is a full debdiff.

Thanks,
Ilias

[CVE-2016-6866] https://security-tracker.debian.org/tracker/CVE-2016-6866

-- 
Ilias
diff -Nru suckless-tools-40/debian/changelog suckless-tools-40/debian/changelog
--- suckless-tools-40/debian/changelog	2016-02-26 13:07:26.0 +0200
+++ suckless-tools-40/debian/changelog	2016-09-12 17:25:07.0 +0300
@@ -1,3 +1,15 @@
+suckless-tools (40-1+deb8u2) stable-proposed-updates; urgency=medium
+
+  * CVE-2016-6866: Fix SEGV in slock when users account has been disabled.
+The screen locking application slock called crypt(3) and used the return
+value for strcmp(3) without checking to see if the return value of crypt(3)
+was a NULL pointer.
+If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+return NULL and set errno to EINVAL. This would cause slock to segfault
+which then leaves the machine unprotected.
+
+ -- Ilias Tsitsimpis   Mon, 12 Sep 2016 16:17:14 +0300
+
 suckless-tools (40-1+deb8u1) stable-proposed-updates; urgency=medium
 
   * Set myself as the maintainer.
diff -Nru suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch
--- suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch	1970-01-01 02:00:00.0 +0200
+++ suckless-tools-40/debian/patches/0002_fix-cve-2016-6866.patch	2016-09-12 16:09:57.0 +0300
@@ -0,0 +1,48 @@
+Description: Fix CVE-2016-6866
+ Fix SEGV in slock when users account has been disabled.
+ .
+ The screen locking application slock called crypt(3) and used the return
+ value for strcmp(3) without checking to see if the return value of crypt(3)
+ was a NULL pointer.
+ .
+ If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would
+ return NULL and set errno to EINVAL. This would cause slock to segfault
+ which then leaves the machine unprotected.
+Author: Markus Teich 
+Origin: upstream, http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8
+
+Index: b/slock/slock.c
+===
+--- a/slock/slock.c
 b/slock/slock.c
+@@ -85,7 +85,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+-	char buf[32], passwd[256];
++	char buf[32], passwd[256], *encrypted;
+ 	int num, screen;
+ 	unsigned int len, llen;
+ 	KeySym ksym;
+@@ -118,7 +118,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
+ #else
+-running = strcmp(crypt(passwd, pws), pws);
++errno = 0;
++if (!(encrypted = crypt(passwd, pws)))
++	fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++else
++	running = !!strcmp(encrypted, pws);
+ #endif
+ if(running != False)
+ 	XBell(dpy, 100);
+@@ -262,6 +266,8 @@ main(int argc, char **argv) {
+ 
+ #ifndef HAVE_BSD_AUTH
+ 	pws = getpw();
++	if (strlen(pws) < 2)
++		die("slock: failed to get user password hash.\n");
+ #endif
+ 
+ 	if(!(dpy = XOpenDisplay(0)))
diff -Nru suckless-tools-40/debian/patches/series suckless-tools-40/debian/patches/series
--- suckless-tools-40/debian/patches/series	2016-02-26 13:08:45.0 +0200
+++ suckless-tools-40/debian/patches/series	2016-09-12 16:01:21.0 +0300
@@ -4,3 +4,4 @@
 2003_transparent-makefiles.patch
 2004_use_system_searchpaths.patch
 0001_resize_lockscreen.patch
+0002_fix-cve-2016-6866.patch