[arch-security] [ASA-201611-21] slock: access restriction bypass
Levente Polyak
anthraxx at archlinux.org
Mon Nov 21 15:14:28 UTC 2016
Arch Linux Security Advisory ASA-201611-21
==========================================
Severity: Medium
Date : 2016-11-21
CVE-ID : CVE-2016-6866
Package : slock
Type : access restriction bypass
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package slock before version 1.4-2 is vulnerable to access
restriction bypass.
Resolution
==========
Upgrade to 1.4-2.
# pacman -Syu "slock>=1.4-2"
The problem has been fixed upstream in version 1.4.
Workaround
==========
None.
Description
===========
A null pointer dereference vulnerability has been discovered in the
screen locking application slock. It calls crypt(3) and uses the return
value for strcmp(3) without checking to see if the return value of
crypt(3) was a NULL pointer. If the hash returned by
(getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL and set
errno to EINVAL. This will cause slock to segfault which then leaves
the machine unprotected. A couple of common scenarios where this
might happen are:
- a machine using NSS for authentication; on the machine this bug was
discovered, (getspnam()->sp_pwdp) returns "*".
- the user's account has been disabled for one reason or another; maybe
account expiry or password expiry.
Impact
======
A local attacker might be able to bypass access restrictions when
locking the screen fails under certain circumstances.
References
==========
http://seclists.org/oss-sec/2016/q3/333
https://access.redhat.com/security/cve/CVE-2016-6866
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161121/8ef5e40d/attachment.asc>
More information about the arch-security
mailing list