The attached patch updates x11/slock to version 1.4, which
includes a fix for CVE-2016-6866 [1].
IMPORTANT:
To make slock work in this version, I needed to change the
install permissions of /usr/local/bin/slock from g+s to u+s.
I don't know much about priv-dropping, UIDs, EUIDs, and all
that stuff to know if that was actually a good idea, so any
advice would be helpful.
Michael Reed
[1] https://nvd.nist.gov/vuln/detail/CVE-2016-6866
Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/slock/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 13 Aug 2016 14:00:00 -0000 1.15
+++ Makefile 17 Jul 2017 19:03:37 -0000
@@ -2,8 +2,7 @@
COMMENT= simple X screen locker
-DISTNAME= slock-1.3
-REVISION= 1
+DISTNAME= slock-1.4
CATEGORIES= x11
Index: distinfo
===================================================================
RCS file: /cvs/ports/x11/slock/distinfo,v
retrieving revision 1.10
diff -u -p -r1.10 distinfo
--- distinfo 5 Mar 2016 19:17:01 -0000 1.10
+++ distinfo 17 Jul 2017 19:03:37 -0000
@@ -1,2 +1,2 @@
-SHA256 (slock-1.3.tar.gz) = urSjrqQEaqD9A2HDZJt5uQylMbxd+uPEpsD+Q2FSvRg=
-SIZE (slock-1.3.tar.gz) = 5943
+SHA256 (slock-1.4.tar.gz) = tThJ28YBCamH16SbjaGXMFwpMH/XTBLcGK8NMEQ5Lmo=
+SIZE (slock-1.4.tar.gz) = 6889
Index: patches/patch-Makefile
===================================================================
RCS file: /cvs/ports/x11/slock/patches/patch-Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 patch-Makefile
--- patches/patch-Makefile 5 Mar 2016 19:17:01 -0000 1.5
+++ patches/patch-Makefile 17 Jul 2017 19:03:37 -0000
@@ -1,6 +1,7 @@
$OpenBSD: patch-Makefile,v 1.5 2016/03/05 19:17:01 jung Exp $
---- Makefile.orig Fri Feb 12 20:29:02 2016
-+++ Makefile Fri Feb 26 21:06:04 2016
+Index: Makefile
+--- Makefile.orig
++++ Makefile
@@ -15,8 +15,7 @@ options:
@echo "CC = ${CC}"
@@ -9,7 +10,7 @@ $OpenBSD: patch-Makefile,v 1.5 2016/03/0
- @${CC} -c ${CFLAGS} $<
+ ${CC} -c ${CFLAGS} $<
- ${OBJ}: config.h config.mk
+ ${OBJ}: config.h config.mk arg.h util.h
@@ -25,8 +24,7 @@ config.h:
@cp config.def.h $@
@@ -21,7 +22,7 @@ $OpenBSD: patch-Makefile,v 1.5 2016/03/0
clean:
@echo cleaning
-@@ -42,15 +40,12 @@ dist: clean
+@@ -42,15 +40,11 @@ dist: clean
@rm -rf slock-${VERSION}
install: all
@@ -37,8 +38,7 @@ $OpenBSD: patch-Makefile,v 1.5 2016/03/0
+ ${BSD_INSTALL_PROGRAM_DIR} ${DESTDIR}${PREFIX}/bin
+ ${BSD_INSTALL_PROGRAM} slock ${DESTDIR}${PREFIX}/bin
+ ${BSD_INSTALL_MAN_DIR} ${DESTDIR}${MANPREFIX}/man1
-+ sed "s/VERSION/${VERSION}/g" < slock.1 > slock.1.tmp
-+ mv slock.1.tmp slock.1
++ sed -i "s/VERSION/${VERSION}/g" slock.1
+ ${BSD_INSTALL_MAN} slock.1 ${DESTDIR}${MANPREFIX}/man1
uninstall:
Index: patches/patch-config_def_h
===================================================================
RCS file: /cvs/ports/x11/slock/patches/patch-config_def_h,v
retrieving revision 1.2
diff -u -p -r1.2 patch-config_def_h
--- patches/patch-config_def_h 5 Mar 2016 19:17:01 -0000 1.2
+++ patches/patch-config_def_h 17 Jul 2017 19:03:37 -0000
@@ -1,11 +1,13 @@
$OpenBSD: patch-config_def_h,v 1.2 2016/03/05 19:17:01 jung Exp $
---- config.def.h.orig Fri Feb 12 20:29:02 2016
-+++ config.def.h Fri Feb 26 20:57:47 2016
-@@ -1,6 +1,6 @@
+Index: config.def.h
+--- config.def.h.orig
++++ config.def.h
+@@ -4,7 +4,7 @@ static const char *group = "nogroup";
+
static const char *colorname[NUMCOLS] = {
- "black", /* after initialization */
-- "#005577", /* during input */
-+ "#404040", /* during input */
- "#CC3333", /* failed/cleared the input */
+ [INIT] = "black", /* after initialization */
+- [INPUT] = "#005577", /* during input */
++ [INPUT] = "#404040", /* during input */
+ [FAILED] = "#CC3333", /* wrong password */
};
- static const Bool failonclear = True;
+
Index: patches/patch-config_mk
===================================================================
RCS file: /cvs/ports/x11/slock/patches/patch-config_mk,v
retrieving revision 1.9
diff -u -p -r1.9 patch-config_mk
--- patches/patch-config_mk 13 Aug 2016 14:00:00 -0000 1.9
+++ patches/patch-config_mk 17 Jul 2017 19:03:37 -0000
@@ -1,7 +1,8 @@
$OpenBSD: patch-config_mk,v 1.9 2016/08/13 14:00:00 tb Exp $
---- config.mk.orig Fri Feb 12 20:29:02 2016
-+++ config.mk Sat Aug 13 15:38:13 2016
-@@ -4,28 +4,28 @@ VERSION = 1.3
+Index: config.mk
+--- config.mk.orig
++++ config.mk
+@@ -4,21 +4,21 @@ VERSION = 1.4
# Customize below to fit your system
# paths
@@ -22,23 +23,20 @@ $OpenBSD: patch-config_mk,v 1.9 2016/08/
+LIBS = -L${X11LIB} -lX11 -lXext -lXrandr
# flags
--CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
+-CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
-CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
-LDFLAGS = -s ${LIBS}
-+CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_BSD_AUTH -D_BSD_SOURCE
-+CFLAGS += -std=c99 -pedantic -Wall ${INCS} ${CPPFLAGS}
-+LDFLAGS += ${LIBS}
+-COMPATSRC = explicit_bzero.c
++CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -D_BSD_SOURCE
++CFLAGS = -std=c99 -pedantic -Wall ${INCS} ${CPPFLAGS}
++LDFLAGS = ${LIBS}
++COMPATSRC =
- # On *BSD remove -DHAVE_SHADOW_H from CPPFLAGS and add -DHAVE_BSD_AUTH
# On OpenBSD and Darwin remove -lcrypt from LIBS
+ #LIBS = -L/usr/lib -lc -L${X11LIB} -lX11 -lXext -lXrandr
+@@ -29,4 +29,4 @@ COMPATSRC = explicit_bzero.c
+ #COMPATSRC =
# compiler and linker
-CC = cc
+CC ?= cc
-
- # Install mode. On BSD systems MODE=2755 and GROUP=auth
- # On others MODE=4755 and GROUP=root
--#MODE=2755
--#GROUP=auth
-+MODE=2755
-+GROUP=auth
Index: patches/patch-slock_c
===================================================================
RCS file: /cvs/ports/x11/slock/patches/patch-slock_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-slock_c
--- patches/patch-slock_c 13 Aug 2016 14:00:00 -0000 1.3
+++ patches/patch-slock_c 17 Jul 2017 19:03:37 -0000
@@ -1,33 +1,39 @@
$OpenBSD: patch-slock_c,v 1.3 2016/08/13 14:00:00 tb Exp $
---- slock.c.orig Fri Feb 12 20:29:02 2016
-+++ slock.c Sat Aug 13 15:37:49 2016
-@@ -47,7 +47,7 @@ static Bool rr;
- static int rrevbase;
- static int rrerrbase;
+
+the second part is from 35633d45672d14bd798c478c45d1a17064701aa9:
+
+Properly clear the last entered character
+
+When enter is pressed, passwd[len] will be set to '\0'. Pressing
+backspace is supposed to remove the last entered character.
+
+But currently, the clearing has an off-by-one, as in setting
+passwd[len] to '\0' just like enter would do.
+
+You can also verify it by imagining len=1 and that it's impossible to
+clear passwd[0] by pressing backspace with the current code.
+
+Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+
+
+Index: slock.c
+--- slock.c.orig
++++ slock.c
+@@ -46,7 +46,7 @@ struct xrandr {
+
+ #include "config.h"
-static void
+static void __attribute__((__noreturn__, __format__(printf, 1, 2)))
die(const char *errstr, ...)
{
va_list ap;
-@@ -172,10 +172,12 @@ readpw(Display *dpy, const char *pws)
- break;
- case XK_Escape:
- len = 0;
-+ explicit_bzero(passwd, sizeof(passwd));
+@@ -177,7 +177,7 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **
break;
case XK_BackSpace:
if (len)
- --len;
-+ explicit_bzero(passwd + len, 1);
+- passwd[len--] = '\0';
++ passwd[--len] = '\0';
break;
default:
- if (num && !iscntrl((int)buf[0]) && (len + num < sizeof(passwd))) {
-@@ -185,6 +187,7 @@ readpw(Display *dpy, const char *pws)
- break;
- }
- color = len ? INPUT : (failure || failonclear ? FAILED : INIT);
-+ explicit_bzero(buf, sizeof(buf));
- if (running && oldc != color) {
- for (screen = 0; screen < nscreens; screen++) {
- XSetWindowBackground(dpy, locks[screen]->win, locks[screen]->colors[color]);
+ if (num && !iscntrl((int)buf[0]) &&
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/x11/slock/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -r1.4 PLIST
--- pkg/PLIST 5 Mar 2016 19:17:01 -0000 1.4
+++ pkg/PLIST 17 Jul 2017 19:03:37 -0000
@@ -1,5 +1,5 @@
@comment $OpenBSD: PLIST,v 1.4 2016/03/05 19:17:01 jung Exp $
-@mode g+s
+@mode u+s
@group auth
@bin bin/slock
@mode
