-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : suckless-tools Version : 38-2+deb7u1 CVE ID : CVE-2016-6866
It was discovered that the slock screen locking tool would segfault when the user's account had been disabled. slock called crypt(3) and used the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno to EINVAL. This would cause slock to segfault which leaves the machine unprotected. For Debian 7 "Wheezy", this issue has been fixed in suckless-tools version 38-2+deb7u1. We recommend that you upgrade your suckless-tools packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXuGzHAAoJEB6VPifUMR5Y+WMP/1LVextAHxphiDGQisAPkm3z SAbXV/jy21AVduhBkhAXgULQAalHWgzNvxDcuqa0eSCZ/onVRN/4oA+Xb78sDQbu q2d51NFEieMX2MbtwuL6YhDjJ6ofka/J5+YWBb/4tPZTsOrteohf3SwKkkFWynwY m42Te0evvqAcVsc3ZKcKebx5SaMCearPdygNE3um39x0QZflyxS3v5tihkGq/PB8 2bKOQdFMf0ooitSsX9mmpRsOyC3oYC+1cK47oJeRqnkfB/NC4X4Vj5rjNcQFmNyd nULrX8DwxljQxA/Wo+JOj9W8hs9gPbOjEIvkkJAcCK2Byz1KcyDOzGALmYqSRr7m uJ1D6zHG3AHVwy2cM/MESAE6wi2vyGa4BUisSOczgubMIgL+nVA4N7U1mYpgIahX KEaxDyuxx5Avmy8EHOyImCdkzG8/AYHsXNbjEwRD/pCfgxBDD4HMEx9Ov4z1DULn x64wDPkGZXZExNH1YFCqSwcc6Drrg5ccKjCSAWvfXxuUX/NZKD1CS650UD5wqTjq QIJVITwyKZGQkQpHqLVAwl5snqMJxTa4oGyLNb7HGBgnG84QPAm8DNLeVeiTeOMw BZ9E/lXeYmCY8lQGHYKq0a2JMJVm5A1QBK8isCn1dxF2NDwlEkAiY5EtT7R/bgRx pVRqNIHCIOgGx3+Z3G6A =ThLN -----END PGP SIGNATURE-----