Re: CVE Request - xlockmore 5.43 fixes a security flaw

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2013 01:18 PM, mancha wrote:
> Hello Kurt, vendors, et al.
>
> xlockmore 5.43 released 2 days ago with a fix for a security flaw
> related to potential NULL pointer dereferences when authenticating
> via glibc 2.17+ crypt() and OSF/1 C2 security's dispcrypt().
>
> Under certain conditions the NULL pointers can trigger a crash in
> xlockmore effectively bypassing the screen lock.
>
> [1] http://www.tux.org/~bagleyd/xlock/xlockmore.README
>
> --mancha


To reiterate: so I can confirm CVE assignments, and prevent duplicate
assignments you *MUST* provide links to the code commits/vulnerable
code. I don't have the time to go hunting through your source code for
them. People need to start making better CVE requests, or you're not
going to get CVEs from me.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR5ap7AAoJEBYNRVNeJnmTfBYP/2OoM+WauwiYv/jplnPi5TbO
AAoFy0XP4Yu/Ey8N9wgbRak4OfSB98rhnLWprCubRIZT2F2L2//jGRotsDhI6CSD
p2CgTGkqHNQpqknA4GLuOT4X3l5nNnnmIeQZI3xfyhztDpi2t4RQ49BHbiMRUeTT
as/uzV/M8hRZOaoOWbVMBOa3l9VAbrlgKuAeYNFfbaZD9pp0ED2pem9jXUCfmK2U
OmN2Pj8oYWSOj5nANqsYFwwC66F44N9Ua4xVVb8SLeMRnfDpbVrII7wmOSCDvHSo
+G0mx8By4PmHUhnFqoe3Xfw9gRie+xJJ1vexO8pOODsg/mhQ0kOBywwCORxzn0Ky
Tjy+M2+B8HsERhjXTh46ggruel8Li7aGHXaNnGz/fw1xorlNGRCo+OnBOTaynsX0
Ou04Qpou7bmALjmKhrQ+zW6t2ZwkbvN+kXmBb0OM4kjovx3fPD/T2VGXnNQs94Nh
OxVs/FXYKgMejCLWuOvT4hJxe5etjez6fz9B6QBTbi+CpjaAt/A4809ckp0B7CXt
ASr9DtpKpTbtvELblv9BUCOIrgyclULW4KnR83HiE56MXgutWuZxT7r+FlBqlyyK
ZYd17SUv1o96Y11KNfSpq0FVvObgZdSV0ptKkIa/UNowm3JuZc8zclPz8xyNNDWE
WoONkFfhKyNGJHVsLt4H
=69Jx
-----END PGP SIGNATURE-----