--- Heyho, after reading Erics original CVE report and proposed fix again and thinking about it, I came to the conclusion that this is a cleaner fix. It calls crypt() pre-locking with a bogus "x" as password just to see if the pws value is correct and other system requirements are met to call crypt later on after the password has been entered. I will apply it tomorrow if there are no objections. http://www.openwall.com/lists/oss-security/2016/08/18/22 --Markus slock.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/slock.c b/slock.c index 9ec2f71..0cb085c 100644 --- a/slock.c +++ b/slock.c _AT_@ -131,7 +131,7 @@ readpw(Display *dpy) readpw(Display *dpy, const char *pws) #endif { - char buf[32], passwd[256], *encrypted; + char buf[32], passwd[256]; int num, screen; unsigned int len, color; KeySym ksym; _AT_@ -167,11 +167,7 @@ readpw(Display *dpy, const char *pws) #ifdef HAVE_BSD_AUTH running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd); #else - errno = 0; - if (!(encrypted = crypt(passwd, pws))) - fprintf(stderr, "slock: crypt: %s\n", strerror(errno)); - else - running = !!strcmp(encrypted, pws); + running = !!strcmp(crypt(passwd, pws), pws); #endif if (running) { XBell(dpy, 100); _AT_@ -324,8 +320,9 @@ main(int argc, char **argv) { #ifndef HAVE_BSD_AUTH pws = getpw(); - if (strlen(pws) < 2) - die("slock: failed to get user password hash.\n"); + errno = 0; + if (!crypt("x", pws)) + die("slock: crypt: %s\n", strerror(errno)); #endif if (!(dpy = XOpenDisplay(NULL))) -- 2.7.3Received on Wed Aug 31 2016 - 19:33:41 CEST
This archive was generated by hypermail 2.3.0 : Wed Aug 31 2016 - 19:36:17 CEST