[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: slock: Fix CVE-2016-6866.
|
From: |
Leo Famulari |
|
Subject: |
01/01: gnu: slock: Fix CVE-2016-6866. |
|
Date: |
Tue, 6 Sep 2016 18:52:21 +0000 (UTC) |
lfam pushed a commit to branch master
in repository guix.
commit 3ed3c105e3aef11f21d2e50a529389c0e5aa5555
Author: Leo Famulari <address@hidden>
Date: Tue Sep 6 14:02:20 2016 -0400
gnu: slock: Fix CVE-2016-6866.
* gnu/packages/patches/slock-CVE-2016-6866.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/suckless.scm (slock): Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/slock-CVE-2016-6866.patch | 51 ++++++++++++++++++++++++
gnu/packages/suckless.scm | 1 +
3 files changed, 53 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index bcd96ae..69e516c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -790,6 +790,7 @@ dist_patch_DATA =
\
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-sigusr1.patch \
+ %D%/packages/patches/slock-CVE-2016-6866.patch \
%D%/packages/patches/slurm-configure-remove-nonfree-contribs.patch \
%D%/packages/patches/soprano-find-clucene.patch \
%D%/packages/patches/superlu-dist-scotchmetis.patch \
diff --git a/gnu/packages/patches/slock-CVE-2016-6866.patch
b/gnu/packages/patches/slock-CVE-2016-6866.patch
new file mode 100644
index 0000000..2f94b8c
--- /dev/null
+++ b/gnu/packages/patches/slock-CVE-2016-6866.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6866.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6866
+https://security-tracker.debian.org/tracker/CVE-2016-6866
+
+Copied from upstream source repository:
+http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8a246d78cb488a0068954b46fcb29
+
+From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001
+From: Markus Teich <address@hidden>
+Date: Tue, 30 Aug 2016 22:59:06 +0000
+Subject: fix CVE-2016-6866
+
+---
+diff --git a/slock.c b/slock.c
+index 847b328..8ed59ca 100644
+--- a/slock.c
++++ b/slock.c
+@@ -123,7 +123,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+- char buf[32], passwd[256];
++ char buf[32], passwd[256], *encrypted;
+ int num, screen;
+ unsigned int len, color;
+ KeySym ksym;
+@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ running = !auth_userokay(getlogin(), NULL,
"auth-slock", passwd);
+ #else
+- running = !!strcmp(crypt(passwd, pws), pws);
++ errno = 0;
++ if (!(encrypted = crypt(passwd, pws)))
++ fprintf(stderr, "slock: crypt: %s\n",
strerror(errno));
++ else
++ running = !!strcmp(encrypted, pws);
+ #endif
+ if (running) {
+ XBell(dpy, 100);
+@@ -312,6 +316,8 @@ main(int argc, char **argv) {
+
+ #ifndef HAVE_BSD_AUTH
+ pws = getpw();
++ if (strlen(pws) < 2)
++ die("slock: failed to get user password hash.\n");
+ #endif
+
+ if (!(dpy = XOpenDisplay(NULL)))
+--
+cgit v0.9.0.3-65-g4555
diff --git a/gnu/packages/suckless.scm b/gnu/packages/suckless.scm
index 7efa502..820d550 100644
--- a/gnu/packages/suckless.scm
+++ b/gnu/packages/suckless.scm
@@ -111,6 +111,7 @@ numbers of user-defined menu items efficiently.")
(method url-fetch)
(uri (string-append "http://dl.suckless.org/tools/slock-";
version ".tar.gz"))
+ (patches (search-patches "slock-CVE-2016-6866.patch"))
(sha256
(base32
"065xa9hl7zn0lv2f7yjxphqsa35rg6dn9hv10gys0sh4ljpa7d5s"))))