Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-598-1 suckless-tools

Debian Security Advisory

DLA-598-1 suckless-tools -- LTS security update

Date Reported:

20 Aug 2016

Affected Packages:

suckless-tools

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-6866.

More information:

It was discovered that the slock screen locking tool would segfault when the user's account had been disabled.

slock called crypt(3) and used the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno to EINVAL. This would cause slock to segfault which leaves the machine unprotected.

For Debian 7 Wheezy, this issue has been fixed in suckless-tools version 38-2+deb7u1.

We recommend that you upgrade your suckless-tools packages.