ArchLinux: 201611-21: slock: access restriction bypass
Summary
A null pointer dereference vulnerability has been discovered in the
screen locking application slock. It calls crypt(3) and uses the return
value for strcmp(3) without checking to see if the return value of
crypt(3) was a NULL pointer. If the hash returned by
(getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL and set
errno to EINVAL. This will cause slock to segfault which then leaves
the machine unprotected. A couple of common scenarios where this
might happen are:
- a machine using NSS for authentication; on the machine this bug was
discovered, (getspnam()->sp_pwdp) returns "*".
- the user's account has been disabled for one reason or another; maybe
account expiry or password expiry.
Resolution
Upgrade to 1.4-2.
# pacman -Syu "slock>=1.4-2"
The problem has been fixed upstream in version 1.4.
References
https://seclists.org/oss-sec/2016/q3/333 https://access.redhat.com/security/cve/CVE-2016-6866
Workaround
None.