oss-sec mailing list archives
CVE request - slock, all versions NULL pointer dereference
From: Eric Pruitt <eric.pruitt () gmail com>
Date: Thu, 18 Aug 2016 11:44:56 -0700
The screen locking application slock (http://tools.suckless.org/slock/) calls crypt(3) and uses the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL and set errno to EINVAL. This will cause slock to segfault which then leaves the machine unprotected. A couple of common scenarios where this might happen are: - a machine using NSS for authentication; on the machine I discovered this bug, (getspnam()->sp_pwdp) returns "*". - the user's account has been disabled for one reason or another; maybe account expiry or password expiry. One approach to ensure slock will not run on machines without local hashes would be to check the return value of crypt("x", (...)->sp_pwdp) and verify that it returns a non NULL value before actually locking the screen. Eric
Current thread:
- CVE request - slock, all versions NULL pointer dereference Eric Pruitt (Aug 18)
- Re: CVE request - slock, all versions NULL pointer dereference cve-assign (Aug 18)