[SECURITY] [DLA 598-1] suckless-tools security update

2016-08-2014:44:58

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.008

Percentile

81.8%

JSON

Package : suckless-tools
Version : 38-2+deb7u1
CVE ID : CVE-2016-6866

It was discovered that the slock screen locking tool would segfault when the
user's account had been disabled.

slock called crypt(3) and used the return value for strcmp(3) without checking
to see if the return value of crypt(3) was a NULL pointer. If the hash returned
by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno
to EINVAL. This would cause slock to segfault which leaves the machine
unprotected.

For Debian 7 "Wheezy", this issue has been fixed in suckless-tools version
38-2+deb7u1.

We recommend that you upgrade your suckless-tools packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian8armelsuckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_armel.deb
Debian8s390xsuckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_s390x.deb
Debian7i386suckless-tools< 38-2+deb7u1suckless-tools_38-2+deb7u1_i386.deb
Debian8i386suckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_i386.deb
Debian8ppc64elsuckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_ppc64el.deb
Debian8arm64suckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_arm64.deb
Debian7amd64suckless-tools< 38-2+deb7u1suckless-tools_38-2+deb7u1_amd64.deb
Debian8allsuckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_all.deb
Debian8armhfsuckless-tools< 40-1+deb8u2suckless-tools_40-1+deb8u2_armhf.deb
Debian7armhfsuckless-tools< 38-2+deb7u1suckless-tools_38-2+deb7u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armel	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_armel.deb
Debian	8	s390x	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_s390x.deb
Debian	7	i386	suckless-tools	< 38-2+deb7u1	suckless-tools_38-2+deb7u1_i386.deb
Debian	8	i386	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_i386.deb
Debian	8	ppc64el	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_ppc64el.deb
Debian	8	arm64	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_arm64.deb
Debian	7	amd64	suckless-tools	< 38-2+deb7u1	suckless-tools_38-2+deb7u1_amd64.deb
Debian	8	all	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_all.deb
Debian	8	armhf	suckless-tools	< 40-1+deb8u2	suckless-tools_40-1+deb8u2_armhf.deb
Debian	7	armhf	suckless-tools	< 38-2+deb7u1	suckless-tools_38-2+deb7u1_armhf.deb