diff options
| author | Sören Tempel <soeren+git@soeren-tempel.net> | 2016-11-22 18:55:03 +0100 |
|---|---|---|
| committer | Sören Tempel <soeren+git@soeren-tempel.net> | 2016-11-22 19:02:29 +0100 |
| commit | be37a94bd55747bcd97f496950ca42f597156ab0 (patch) | |
| tree | ebd98d7d5b7e48f7030439a16b7d8f730b46e300 | |
| parent | 0f70cefd44228dca729d0b9ac6648e75eba58b83 (diff) | |
| download | aports-be37a94bd55747bcd97f496950ca42f597156ab0.tar.bz2 aports-be37a94bd55747bcd97f496950ca42f597156ab0.tar.xz | |
community/slock: security fix for CVE-2016-6866
| -rw-r--r-- | community/slock/APKBUILD | 18 | ||||
| -rw-r--r-- | community/slock/CVE-2016-6866.patch | 43 |
2 files changed, 56 insertions, 5 deletions
diff --git a/community/slock/APKBUILD b/community/slock/APKBUILD index dcc42b520b..2ebcc9759c 100644 --- a/community/slock/APKBUILD +++ b/community/slock/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> pkgname=slock pkgver=1.3 -pkgrel=2 +pkgrel=3 pkgdesc="A simple screen locker for X" url="http://tools.suckless.org/slock/" arch="all" @@ -14,7 +14,12 @@ install="" options="suid" subpackages="$pkgname-doc" source="http://dl.suckless.org/tools/$pkgname-$pkgver.tar.gz - 0001-clear-passwords-with-explicit_bzero.patch" + 0001-clear-passwords-with-explicit_bzero.patch + CVE-2016-6866.patch" + +# secfixes: +# 1.3-r3: +# - CVE-2016-6866 builddir="$srcdir/$pkgname-$pkgver" prepare() { @@ -35,8 +40,11 @@ package() { } md5sums="825aaeccba9b3b3c1f3d249d47c1396a slock-1.3.tar.gz -ca1f6e27e0b86101964c3a0d196d6520 0001-clear-passwords-with-explicit_bzero.patch" +ca1f6e27e0b86101964c3a0d196d6520 0001-clear-passwords-with-explicit_bzero.patch +711f1a1810898958559b3f7515c81b72 CVE-2016-6866.patch" sha256sums="bab4a3aea4046aa0fd0361c3649b79b90ca531bc5dfae3c4a6c0fe436152bd18 slock-1.3.tar.gz -4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905 0001-clear-passwords-with-explicit_bzero.patch" +4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905 0001-clear-passwords-with-explicit_bzero.patch +ca37f6b759199128564599525176726af8a137247910bedd154fa5c95ba35f39 CVE-2016-6866.patch" sha512sums="5024588f6d25f9d72a9d2b8ef9d8a2a94e5d5e53f30f4a15df83b693a3706b1ad6550422f36af29f54429a9c516d14a349e46aeb9896c6e32009ff0da5c02a8f slock-1.3.tar.gz -3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38 0001-clear-passwords-with-explicit_bzero.patch" +3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38 0001-clear-passwords-with-explicit_bzero.patch +919cb98e6ae95855be5dd23fcfc122c5eb15272f16a6c1abbde2339247473aa3d7685461fb38f4e6cff5f12887a36859b081d06033d8cace5a2b762558e7357a CVE-2016-6866.patch" diff --git a/community/slock/CVE-2016-6866.patch b/community/slock/CVE-2016-6866.patch new file mode 100644 index 0000000000..f44bbbd540 --- /dev/null +++ b/community/slock/CVE-2016-6866.patch @@ -0,0 +1,43 @@ +From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001 +From: Markus Teich <markus.teich@stusta.mhn.de> +Date: Tue, 30 Aug 2016 22:59:06 +0000 +Subject: fix CVE-2016-6866 + +--- +diff --git a/slock.c b/slock.c +index 847b328..8ed59ca 100644 +--- a/slock.c ++++ b/slock.c +@@ -123,7 +123,7 @@ readpw(Display *dpy) + readpw(Display *dpy, const char *pws) + #endif + { +- char buf[32], passwd[256]; ++ char buf[32], passwd[256], *encrypted; + int num, screen; + unsigned int len, color; + KeySym ksym; +@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws) + #ifdef HAVE_BSD_AUTH + running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd); + #else +- running = !!strcmp(crypt(passwd, pws), pws); ++ errno = 0; ++ if (!(encrypted = crypt(passwd, pws))) ++ fprintf(stderr, "slock: crypt: %s\n", strerror(errno)); ++ else ++ running = !!strcmp(encrypted, pws); + #endif + if (running) { + XBell(dpy, 100); +@@ -312,6 +316,8 @@ main(int argc, char **argv) { + + #ifndef HAVE_BSD_AUTH + pws = getpw(); ++ if (strlen(pws) < 2) ++ die("slock: failed to get user password hash.\n"); + #endif + + if (!(dpy = XOpenDisplay(NULL))) +-- +cgit v0.9.0.3-65-g4555 |