Bug 829859 (CVE-2013-4143) - VUL1: CVE-2013-4143: xlockmore: NULL ptr deref
Summary: VUL1: CVE-2013-4143: xlockmore: NULL ptr deref
Status: RESOLVED FIXED
Alias: CVE-2013-4143
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Stanislav Brabec
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-17 06:40 UTC by Sebastian Krahmer
Modified: 2013-07-22 06:11 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-07-17 06:40:58 UTC 
Via oss-sec:

To: oss-security
From: mancha

Hello Kurt, vendors, et al.

xlockmore 5.43 released 2 days ago with a fix for a security
flaw related to potential NULL pointer dereferences when
authenticating via glibc 2.17+ crypt() and OSF/1 C2 security's
dispcrypt().

Under certain conditions the NULL pointers can trigger a crash
in xlockmore effectively bypassing the screen lock.

[1] http://www.tux.org/~bagleyd/xlock/xlockmore.README

--mancha
Comment 2 Swamp Workflow Management 2013-07-17 22:00:16 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-07-18 09:15:17 UTC 
CVE-2013-4143
Comment 4 Stanislav Brabec 2013-07-18 15:40:44 UTC 
Should I fix it only for distros with glibc-2.17 (openSUSE 12.3 and Factory) or for all distros which have the affected code?
Comment 5 Marcus Meissner 2013-07-19 09:10:16 UTC 
Do opensuse factory.

I do not think we even use the crypt codepath at all, as we configure the unix2_checkpass helper binary to do checking.
Comment 6 Bernhard Wiedemann 2013-07-19 17:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (829859) was mentioned in
https://build.opensuse.org/request/show/183772 Factory / xlockmore
Comment 7 Sebastian Krahmer 2013-07-22 06:11:08 UTC 
should be done then