Due to huge amount of bots taking interest in registering here registration is now invite-only. Any user can make an invite, you need to create it here and give resulting link to someone to register.
avatar
dsilakov has added 78a9ac3384
Imported from SRPM
... ... --- /dev/null
... ... +++ b/.abf.yml
... ... @@ -0,0 +1,2 @@
1
sources:
2
  slock-1.2.tar.gz: 15c5be7c10d7d278882723197255179ffef9c5b1
view file @ 78a9ac3384
... ... --- /dev/null
... ... +++ b/slock-1.2-CVE-2016-6866.patch
... ... @@ -0,0 +1,59 @@
1
From 3edbad1970dcc95358f00fb075cfbf26f7a78345 Mon Sep 17 00:00:00 2001
2
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
3
Date: Wed, 31 Aug 2016 00:59:06 +0200
4
Subject: [PATCH] fix CVE-2016-6866
5
MIME-Version: 1.0
6
Content-Type: text/plain; charset=UTF-8
7
Content-Transfer-Encoding: 8bit
8
9
Ported to 1.3:
10
11
commit d8bec0f6fdc8a246d78cb488a0068954b46fcb29
12
Author: Markus Teich <markus.teich@stusta.mhn.de>
13
Date:   Wed Aug 31 00:59:06 2016 +0200
14
15
    fix CVE-2016-6866
16
17
Signed-off-by: Petr Písař <ppisar@redhat.com>
18
---
19
 slock.c | 10 ++++++++--
20
 1 file changed, 8 insertions(+), 2 deletions(-)
21
22
diff --git a/slock.c b/slock.c
23
index cf49555..2c9fabe 100644
24
--- a/slock.c
25
+++ b/slock.c
26
@@ -102,7 +102,7 @@ readpw(Display *dpy)
27
 readpw(Display *dpy, const char *pws)
28
 #endif
29
 {
30
-	char buf[32], passwd[256];
31
+	char buf[32], passwd[256], *encrypted;
32
 	int num, screen;
33
 	unsigned int len, llen;
34
 	KeySym ksym;
35
@@ -135,7 +135,11 @@ readpw(Display *dpy, const char *pws)
36
 #ifdef HAVE_BSD_AUTH
37
 				running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
38
 #else
39
-				running = !!strcmp(crypt(passwd, pws), pws);
40
+				errno = 0;
41
+				if (!(encrypted = crypt(passwd, pws)))
42
+					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
43
+				else
44
+					running = !!strcmp(encrypted, pws);
45
 #endif
46
 				if(running)
47
 					XBell(dpy, 100);
48
@@ -274,6 +278,8 @@ main(int argc, char **argv) {
49
 
50
 #ifndef HAVE_BSD_AUTH
51
 	pws = getpw();
52
+	if (strlen(pws) < 2)
53
+		die("slock: failed to get user password hash.\n");
54
 #endif
55
 
56
 	if(!(dpy = XOpenDisplay(0)))
57
-- 
58
2.5.5
59
... ... --- /dev/null
... ... +++ b/slock.spec
... ... @@ -0,0 +1,32 @@
1
Name:		slock
2
Version:	1.2
3
Release:	3
4
Group:		Graphical desktop/Other
5
Summary:	Simple X display locker
6
URL:		http://tools.suckless.org/slock
7
Source:		http://dl.suckless.org/tools/slock-%{version}.tar.gz
8
Patch0:		slock-1.2-CVE-2016-6866.patch
9
License:	MIT
10
BuildRequires:	pkgconfig(x11)
11
BuildRequires:	pkgconfig(xext)
12
13
%description
14
A very simple X screen locker from suckless.org. It is stable and quite
15
a lot of people are using it every day when they are out with friends
16
or fetching some food from the local pub
17
18
19
%prep
20
%setup -q
21
%patch0 -p1 -b .CVE-2016-6866
22
23
%build
24
%setup_compile_flags
25
%make CFLAGS="$CFLAGS "'$(CPPFLAGS) ' LDFLAGS="$LDFLAGS "'$(LIBS)'
26
27
%install
28
%make_install PREFIX=%{_prefix}
29
30
%files
31
%doc LICENSE README
32
%{_bindir}/%{name}

Comments