19838 – slock package requires upgrade to 1.4 and additional patches

Bug 19838 - slock package requires upgrade to 1.4 and additional patches

Summary: slock package requires upgrade to 1.4 and additional patches

Status:	RESOLVED DUPLICATE of bug 19218

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: minor
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-24 20:51 CET by youpburden
Modified:	2016-11-25 03:43 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	slock-1.2-3.mga6.i586.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description youpburden 2016-11-24 20:51:37 CET

Archlinux published a security issue with the package slock before version 1.4-2.

It is vulnerable to access restriction bypass.


Mageia 5 and Cauldron are concerned.

The upstream 1.4 needs both patches :

https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/slock&id=3fdfd85a1e3ddcd0a4ec073eddc8c21538d34a9c

https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/slock&id=57d5583795209aaae9643a9b76318d71894fa22d



Sources of the security issues :

https://lists.archlinux.org/pipermail/arch-security/2016-November/000768.html

http://seclists.org/oss-sec/2016/q3/333

Comment 1 Marja Van Waes 2016-11-24 23:26:21 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => dan, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-11-25 03:43:32 CET

We patched the security issue a couple months ago.

*** This bug has been marked as a duplicate of bug 19218 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE

Note You need to log in before you can comment on or make changes to this bug.