aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSören Tempel <soeren+git@soeren-tempel.net>2016-11-22 18:55:03 +0100
committerSören Tempel <soeren+git@soeren-tempel.net>2016-11-22 19:02:29 +0100
commitbe37a94bd55747bcd97f496950ca42f597156ab0 (patch)
treeebd98d7d5b7e48f7030439a16b7d8f730b46e300
parent0f70cefd44228dca729d0b9ac6648e75eba58b83 (diff)
downloadaports-be37a94bd55747bcd97f496950ca42f597156ab0.tar.bz2
aports-be37a94bd55747bcd97f496950ca42f597156ab0.tar.xz
community/slock: security fix for CVE-2016-6866
-rw-r--r--community/slock/APKBUILD18
-rw-r--r--community/slock/CVE-2016-6866.patch43
2 files changed, 56 insertions, 5 deletions
diff --git a/community/slock/APKBUILD b/community/slock/APKBUILD
index dcc42b520b..2ebcc9759c 100644
--- a/community/slock/APKBUILD
+++ b/community/slock/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=slock
pkgver=1.3
-pkgrel=2
+pkgrel=3
pkgdesc="A simple screen locker for X"
url="http://tools.suckless.org/slock/"
arch="all"
@@ -14,7 +14,12 @@ install=""
options="suid"
subpackages="$pkgname-doc"
source="http://dl.suckless.org/tools/$pkgname-$pkgver.tar.gz
- 0001-clear-passwords-with-explicit_bzero.patch"
+ 0001-clear-passwords-with-explicit_bzero.patch
+ CVE-2016-6866.patch"
+
+# secfixes:
+# 1.3-r3:
+# - CVE-2016-6866
builddir="$srcdir/$pkgname-$pkgver"
prepare() {
@@ -35,8 +40,11 @@ package() {
}
md5sums="825aaeccba9b3b3c1f3d249d47c1396a slock-1.3.tar.gz
-ca1f6e27e0b86101964c3a0d196d6520 0001-clear-passwords-with-explicit_bzero.patch"
+ca1f6e27e0b86101964c3a0d196d6520 0001-clear-passwords-with-explicit_bzero.patch
+711f1a1810898958559b3f7515c81b72 CVE-2016-6866.patch"
sha256sums="bab4a3aea4046aa0fd0361c3649b79b90ca531bc5dfae3c4a6c0fe436152bd18 slock-1.3.tar.gz
-4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905 0001-clear-passwords-with-explicit_bzero.patch"
+4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905 0001-clear-passwords-with-explicit_bzero.patch
+ca37f6b759199128564599525176726af8a137247910bedd154fa5c95ba35f39 CVE-2016-6866.patch"
sha512sums="5024588f6d25f9d72a9d2b8ef9d8a2a94e5d5e53f30f4a15df83b693a3706b1ad6550422f36af29f54429a9c516d14a349e46aeb9896c6e32009ff0da5c02a8f slock-1.3.tar.gz
-3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38 0001-clear-passwords-with-explicit_bzero.patch"
+3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38 0001-clear-passwords-with-explicit_bzero.patch
+919cb98e6ae95855be5dd23fcfc122c5eb15272f16a6c1abbde2339247473aa3d7685461fb38f4e6cff5f12887a36859b081d06033d8cace5a2b762558e7357a CVE-2016-6866.patch"
diff --git a/community/slock/CVE-2016-6866.patch b/community/slock/CVE-2016-6866.patch
new file mode 100644
index 0000000000..f44bbbd540
--- /dev/null
+++ b/community/slock/CVE-2016-6866.patch
@@ -0,0 +1,43 @@
+From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001
+From: Markus Teich <markus.teich@stusta.mhn.de>
+Date: Tue, 30 Aug 2016 22:59:06 +0000
+Subject: fix CVE-2016-6866
+
+---
+diff --git a/slock.c b/slock.c
+index 847b328..8ed59ca 100644
+--- a/slock.c
++++ b/slock.c
+@@ -123,7 +123,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+- char buf[32], passwd[256];
++ char buf[32], passwd[256], *encrypted;
+ int num, screen;
+ unsigned int len, color;
+ KeySym ksym;
+@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
+ #else
+- running = !!strcmp(crypt(passwd, pws), pws);
++ errno = 0;
++ if (!(encrypted = crypt(passwd, pws)))
++ fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
++ else
++ running = !!strcmp(encrypted, pws);
+ #endif
+ if (running) {
+ XBell(dpy, 100);
+@@ -312,6 +316,8 @@ main(int argc, char **argv) {
+
+ #ifndef HAVE_BSD_AUTH
+ pws = getpw();
++ if (strlen(pws) < 2)
++ die("slock: failed to get user password hash.\n");
+ #endif
+
+ if (!(dpy = XOpenDisplay(NULL)))
+--
+cgit v0.9.0.3-65-g4555