community/slock: security fix for CVE-2016-6866

be37a94b · Sören Tempel · 0f70cefd · be37a94b · be37a94b
Commit be37a94b authored 8 years ago by Sören Tempel
--- a/community/slock/APKBUILD
+++ b/community/slock/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=slock
 pkgver=1.3
-pkgrel=2
+pkgrel=3
 pkgdesc="A simple screen locker for X"
 url="http://tools.suckless.org/slock/"
 arch="all"
@@ -14,7 +14,12 @@ install=""
 options="suid"
 subpackages="$pkgname-doc"
 source="http://dl.suckless.org/tools/$pkgname-$pkgver.tar.gz
-	0001-clear-passwords-with-explicit_bzero.patch"
+	0001-clear-passwords-with-explicit_bzero.patch
+	CVE-2016-6866.patch"
+
+# secfixes:
+#   1.3-r3:
+#     - CVE-2016-6866

 builddir="$srcdir/$pkgname-$pkgver"
 prepare() {
@@ -35,8 +40,11 @@ package() {
 }

 md5sums="825aaeccba9b3b3c1f3d249d47c1396a  slock-1.3.tar.gz
-ca1f6e27e0b86101964c3a0d196d6520  0001-clear-passwords-with-explicit_bzero.patch"
+ca1f6e27e0b86101964c3a0d196d6520  0001-clear-passwords-with-explicit_bzero.patch
+711f1a1810898958559b3f7515c81b72  CVE-2016-6866.patch"
 sha256sums="bab4a3aea4046aa0fd0361c3649b79b90ca531bc5dfae3c4a6c0fe436152bd18  slock-1.3.tar.gz
-4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905  0001-clear-passwords-with-explicit_bzero.patch"
+4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905  0001-clear-passwords-with-explicit_bzero.patch
+ca37f6b759199128564599525176726af8a137247910bedd154fa5c95ba35f39  CVE-2016-6866.patch"
 sha512sums="5024588f6d25f9d72a9d2b8ef9d8a2a94e5d5e53f30f4a15df83b693a3706b1ad6550422f36af29f54429a9c516d14a349e46aeb9896c6e32009ff0da5c02a8f  slock-1.3.tar.gz
-3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38  0001-clear-passwords-with-explicit_bzero.patch"
+3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38  0001-clear-passwords-with-explicit_bzero.patch
+919cb98e6ae95855be5dd23fcfc122c5eb15272f16a6c1abbde2339247473aa3d7685461fb38f4e6cff5f12887a36859b081d06033d8cace5a2b762558e7357a  CVE-2016-6866.patch"
--- a/community/slock/CVE-2016-6866.patch
+++ b/community/slock/CVE-2016-6866.patch
+From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001
+From: Markus Teich <markus.teich@stusta.mhn.de>
+Date: Tue, 30 Aug 2016 22:59:06 +0000
+Subject: fix CVE-2016-6866
+
+---
+diff --git a/slock.c b/slock.c
+index 847b328..8ed59ca 100644
+--- a/slock.c
+++ b/slock.c
+@@ -123,7 +123,7 @@ readpw(Display *dpy)
+ readpw(Display *dpy, const char *pws)
+ #endif
+ {
+-	char buf[32], passwd[256];
+	char buf[32], passwd[256], *encrypted;
+ 	int num, screen;
+ 	unsigned int len, color;
+ 	KeySym ksym;
+@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
+ #ifdef HAVE_BSD_AUTH
+ 				running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
+ #else
+-				running = !!strcmp(crypt(passwd, pws), pws);
+				errno = 0;
+				if (!(encrypted = crypt(passwd, pws)))
+					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
+				else
+					running = !!strcmp(encrypted, pws);
+ #endif
+ 				if (running) {
+ 					XBell(dpy, 100);
+@@ -312,6 +316,8 @@ main(int argc, char **argv) {
+ 
+ #ifndef HAVE_BSD_AUTH
+ 	pws = getpw();
+	if (strlen(pws) < 2)
+		die("slock: failed to get user password hash.\n");
+ #endif
+ 
+ 	if (!(dpy = XOpenDisplay(NULL)))
+--
+cgit v0.9.0.3-65-g4555