fix CVE-2016-6866 - slock - simple X display locker utility
(HTM) git clone git://git.suckless.org/slock
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit d8bec0f6fdc8a246d78cb488a0068954b46fcb29
(DIR) parent b87bfa234378bcfc1b13273c5089f07902de1725
(HTM) Author: Markus Teich <markus.teich@stusta.mhn.de>
Date: Wed, 31 Aug 2016 00:59:06 +0200
fix CVE-2016-6866
Diffstat:
M slock.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
---
(DIR) diff --git a/slock.c b/slock.c
@@ -123,7 +123,7 @@ readpw(Display *dpy)
readpw(Display *dpy, const char *pws)
#endif
{
- char buf[32], passwd[256];
+ char buf[32], passwd[256], *encrypted;
int num, screen;
unsigned int len, color;
KeySym ksym;
@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
#ifdef HAVE_BSD_AUTH
running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
#else
- running = !!strcmp(crypt(passwd, pws), pws);
+ errno = 0;
+ if (!(encrypted = crypt(passwd, pws)))
+ fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
+ else
+ running = !!strcmp(encrypted, pws);
#endif
if (running) {
XBell(dpy, 100);
@@ -312,6 +316,8 @@ main(int argc, char **argv) {
#ifndef HAVE_BSD_AUTH
pws = getpw();
+ if (strlen(pws) < 2)
+ die("slock: failed to get user password hash.\n");
#endif
if (!(dpy = XOpenDisplay(NULL)))