2017-07-17 22:11 GMT+03:00 Michael Reed <mich...@michaelreed.io>: > The attached patch updates x11/slock to version 1.4, which > includes a fix for CVE-2016-6866 [1]. > > IMPORTANT: > To make slock work in this version, I needed to change the > install permissions of /usr/local/bin/slock from g+s to u+s. > I don't know much about priv-dropping, UIDs, EUIDs, and all > that stuff to know if that was actually a good idea, so any > advice would be helpful.
In this version the upstream dropped support for BSD authentication. This will bite: a) YP users (including those who use ypldap); b) users of non-passwd auth styles. I'd rather backport the fix from upstream: http://git.suckless.org/slock/commit/?id=d8bec0f6fdc8a246d78cb488a0068954b46fcb29 But I'm not an slock user, so those are just my thoughts. :) -- WBR, Vadim Zhukov
