> A patch to change this has been applied to upstream slock (latest git),
> see:
> http://git.suckless.org/slock/commit/?id=a7afade1701a809f6a33b53525d59dd29b38d381
>
> I have imported explicit_bzero.c from libressl-portable.
Very cool, thank you! Patch makes sense to me as it is.
Is there a new release for slock planned anytime soon?
If not:
ok for the following diff so we have this in our port?
Index: Makefile
===================================================================
RCS file: /var/cvs/ports/x11/slock/Makefile,v
retrieving revision 1.14
diff -u -p -r1.14 Makefile
--- Makefile 6 Jul 2016 21:34:15 -0000 1.14
+++ Makefile 30 Jul 2016 16:44:14 -0000
@@ -3,7 +3,7 @@
COMMENT= simple X screen locker
DISTNAME= slock-1.3
-REVISION= 0
+REVISION= 1
CATEGORIES= x11
Index: patches/patch-config_mk
===================================================================
RCS file: /var/cvs/ports/x11/slock/patches/patch-config_mk,v
retrieving revision 1.8
diff -u -p -r1.8 patch-config_mk
--- patches/patch-config_mk 5 Mar 2016 19:17:01 -0000 1.8
+++ patches/patch-config_mk 13 Aug 2016 11:34:26 -0000
@@ -1,6 +1,6 @@
$OpenBSD: patch-config_mk,v 1.8 2016/03/05 19:17:01 jung Exp $
--- config.mk.orig Fri Feb 12 20:29:02 2016
-+++ config.mk Sat Feb 27 10:43:40 2016
++++ config.mk Sat Aug 13 13:33:05 2016
@@ -4,28 +4,28 @@ VERSION = 1.3
# Customize below to fit your system
@@ -25,7 +25,7 @@ $OpenBSD: patch-config_mk,v 1.8 2016/03/
-CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
-CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
-LDFLAGS = -s ${LIBS}
-+CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_BSD_AUTH
++CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_BSD_AUTH -D_BSD_SOURCE
+CFLAGS += -std=c99 -pedantic -Wall ${INCS} ${CPPFLAGS}
+LDFLAGS += ${LIBS}
Index: patches/patch-slock_c
===================================================================
RCS file: patches/patch-slock_c
diff -N patches/patch-slock_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-slock_c 13 Aug 2016 11:31:44 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+Patch from upstream:
+Make sure to explicitly clear memory that is used for password input.
+
+--- slock.c.orig Fri Feb 12 20:29:02 2016
++++ slock.c Sat Aug 13 13:31:32 2016
+@@ -142,7 +142,7 @@ readpw(Display *dpy, const char *pws)
+ * timeout. */
+ while (running && !XNextEvent(dpy, &ev)) {
+ if (ev.type == KeyPress) {
+- buf[0] = 0;
++ explicit_bzero(buf, sizeof(buf));
+ num = XLookupString(&ev.xkey, buf, sizeof(buf), &ksym,
0);
+ if (IsKeypadKey(ksym)) {
+ if (ksym == XK_KP_Enter)
+@@ -168,14 +168,16 @@ readpw(Display *dpy, const char *pws)
+ XBell(dpy, 100);
+ failure = True;
+ }
++ explicit_bzero(passwd, sizeof(passwd));
+ len = 0;
+ break;
+ case XK_Escape:
+ len = 0;
++ explicit_bzero(passwd, sizeof(passwd));
+ break;
+ case XK_BackSpace:
+ if (len)
+- --len;
++ passwd[len--] = 0;
+ break;
+ default:
+ if (num && !iscntrl((int)buf[0]) && (len + num
< sizeof(passwd))) {
