CVE request - slock, all versions NULL pointer dereference

[Eric Pruitt <eric.pruitt () gmail com>]

The screen locking application slock (http://tools.suckless.org/slock/)
calls crypt(3) and uses the return value for strcmp(3) without checking
to see if the return value of crypt(3) was a NULL pointer. If the hash
returned by (getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL
and set errno to EINVAL. This will cause slock to segfault which then
leaves the machine unprotected. A couple of common scenarios where this
might happen are:

- a machine using NSS for authentication; on the machine I discovered
  this bug, (getspnam()->sp_pwdp) returns "*".
- the user's account has been disabled for one reason or another; maybe
  account expiry or password expiry.

One approach to ensure slock will not run on machines without local
hashes would be to check the return value of crypt("x", (...)->sp_pwdp)
and verify that it returns a non NULL value before actually locking the
screen.

Eric