19218 – slock new security issue CVE-2016-6866

Bug 19218 - slock new security issue CVE-2016-6866

Summary: slock new security issue CVE-2016-6866

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Duplicates (1):	19838 (view as bug list)
Depends on:
Blocks:

Reported:	2016-08-19 15:55 CEST by David Walser
Modified:	2016-11-25 03:43 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	slock-1.2-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-08-19 15:55:35 CEST

A CVE has been assigned for a security issue in slock:
http://openwall.com/lists/oss-security/2016/08/18/24

This is yet another case of an application failing to account for the fact that crypt() can return NULL (due to a change in glibc a few years ago).

A suggested solution was described in the thread, but no actual patch was given.

Comment 1 David Walser 2016-08-19 15:55:57 CEST

CC'ing Dan who last updated this and may have an interest.

CC: (none) => dan
Whiteboard: (none) => MGA5TOO

Comment 2 Marja Van Waes 2016-08-21 11:47:44 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2016-09-10 10:50:46 CEST

Fedora has issued an advisory for this on September 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RZPEJQNVODYSI4WQXM5GQKXRO7TPK2VG/

Patched packages uploaded for Mageia 5 and Cauldron.

Dan, there is a version 1.3 available if you're interested in updating it again.

Advisory:
========================

Updated slock packages fix security vulnerability:

The slock utility is susceptible a crash when verifying a password for a user
without a valid shadow hash entry (CVE-2016-6866).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6866
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RZPEJQNVODYSI4WQXM5GQKXRO7TPK2VG/
========================

Updated packages in core/updates_testing:
========================
slock-1.1-5.1.mga5

from slock-1.1-5.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 Lewis Smith 2016-09-16 08:54:49 CEST

Trying x64, but to others - beware.

I can find no useful information about how to use it.
 http://tools.suckless.org/slock/
says "Simple X display locker. This is the simplest X screen locker we are aware of"
and "Slock is configured via config.h" and "Slock can be started after a specific period of user inactivity using xautolock. The command syntax is:
 xautolock -time 10 -locker slock
Simpler alternatives to xautolock might be xssstate or xss".

None of these 3 x commands are installed on my box. There is no man entry for slock, installed pre-update slock-1.1-5.mga5 . Do NOT try (as I did)
 # slock
which immediately blanked the screen, and I had no idea how to get out of that. No likely keystrokes did anything. Had to do Ctrl/Alt/Backspace/Backspace to re-start X.
Worse, after re-logging in, response to the root password after '$ su' has become extremely long. I suspect the [shadow] password system was affected. I hope this is not permanent.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2016-09-16 09:21:36 CEST

(In reply to Lewis Smith from comment #4)
> Trying x64
> Do NOT try (as I did)
>  # slock
> which immediately blanked the screen, and I had no idea how to get out of
> that. No likely keystrokes did anything. Had to re-start X.
> Worse, after re-logging in, response to the root password after '$ su' has
> become extremely long. I suspect the [shadow] password system was affected.
> I hope this is not permanent.
Luckily, it is not. After a re-boot, this aspect is back to normal.

Comment 6 Herman Viaene 2016-09-16 10:51:08 CEST

MGA5-32 on Acer D620 Xfce
No installation issues.
Google is your friend: typed in "slock help" and first item found says: "in blank screen type your user password". There is no prompt.
Tested that way and behaves OK.

CC: (none) => herman.viaene

Herman Viaene 2016-09-16 10:51:27 CEST

Whiteboard: (none) => MGA5-32-OK

Comment 7 Lewis Smith 2016-09-16 15:45:37 CEST

(In reply to Herman Viaene from comment #6)
> "in blank screen type your user password". There is no prompt.
Excellent, thank you Herman. You would think that would be on its site...

Tested M5 x64 real h/w.

BEFORE update: slock-1.1-5.mga5
 $ slock
works as noted above. The blanked screen turns bluish when password is typed.

AFTER update: slock-1.1-5.1.mga5
Same behaviour; OK.

Update validated, advisory to follow.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Lewis Smith 2016-09-18 11:48:49 CEST

Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 9 Mageia Robot 2016-09-21 22:39:15 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0308.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2016-11-25 03:43:32 CET

*** Bug 19838 has been marked as a duplicate of this bug. ***

CC: (none) => youpburden

Note You need to log in before you can comment on or make changes to this bug.