Re: [hackers] [slock] [PATCH] simplify fix for CVE-2016-6866

From: FRIGN <>
Date: Wed, 31 Aug 2016 21:51:41 +0200

On Wed, 31 Aug 2016 19:33:41 +0200
Markus Teich <> wrote:

Hey Marcus,

> after reading Erics original CVE report and proposed fix again and
> thinking about it, I came to the conclusion that this is a cleaner
> fix. It calls crypt() pre-locking with a bogus "x" as password just
> to see if the pws value is correct and other system requirements are
> met to call crypt later on after the password has been entered.
> I will apply it tomorrow if there are no objections.

are you sure we are not hitting any TOCTTOU problems here?



Received on Wed Aug 31 2016 - 21:51:41 CEST

This archive was generated by hypermail 2.3.0 : Wed Aug 31 2016 - 22:00:19 CEST