fix CVE-2016-6866 - slock - simple X display locker utility | |
git clone git://git.suckless.org/slock | |
Log | |
Files | |
Refs | |
README | |
LICENSE | |
--- | |
commit d8bec0f6fdc8a246d78cb488a0068954b46fcb29 | |
parent b87bfa234378bcfc1b13273c5089f07902de1725 | |
Author: Markus Teich <[email protected]> | |
Date: Wed, 31 Aug 2016 00:59:06 +0200 | |
fix CVE-2016-6866 | |
Diffstat: | |
M slock.c | 10 ++++++++-- | |
1 file changed, 8 insertions(+), 2 deletions(-) | |
--- | |
diff --git a/slock.c b/slock.c | |
@@ -123,7 +123,7 @@ readpw(Display *dpy) | |
readpw(Display *dpy, const char *pws) | |
#endif | |
{ | |
- char buf[32], passwd[256]; | |
+ char buf[32], passwd[256], *encrypted; | |
int num, screen; | |
unsigned int len, color; | |
KeySym ksym; | |
@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws) | |
#ifdef HAVE_BSD_AUTH | |
running = !auth_userokay(getlogin(), NULL, "au… | |
#else | |
- running = !!strcmp(crypt(passwd, pws), pws); | |
+ errno = 0; | |
+ if (!(encrypted = crypt(passwd, pws))) | |
+ fprintf(stderr, "slock: crypt: %s\n", … | |
+ else | |
+ running = !!strcmp(encrypted, pws); | |
#endif | |
if (running) { | |
XBell(dpy, 100); | |
@@ -312,6 +316,8 @@ main(int argc, char **argv) { | |
#ifndef HAVE_BSD_AUTH | |
pws = getpw(); | |
+ if (strlen(pws) < 2) | |
+ die("slock: failed to get user password hash.\n"); | |
#endif | |
if (!(dpy = XOpenDisplay(NULL))) |