Bug 19838

Summary: slock package requires upgrade to 1.4 and additional patches
Product: Mageia Reporter: youpburden <youpburden>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: dan, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: slock-1.2-3.mga6.i586.rpm CVE:
Status comment:

Description youpburden 2016-11-24 20:51:37 CET
Archlinux published a security issue with the package slock before version 1.4-2.

It is vulnerable to access restriction bypass.


Mageia 5 and Cauldron are concerned.

The upstream 1.4 needs both patches :

https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/slock&id=3fdfd85a1e3ddcd0a4ec073eddc8c21538d34a9c

https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/slock&id=57d5583795209aaae9643a9b76318d71894fa22d



Sources of the security issues :

https://lists.archlinux.org/pipermail/arch-security/2016-November/000768.html

http://seclists.org/oss-sec/2016/q3/333
Comment 1 Marja Van Waes 2016-11-24 23:26:21 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => dan, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-11-25 03:43:32 CET
We patched the security issue a couple months ago.

*** This bug has been marked as a duplicate of bug 19218 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE