From c7e174104735e2d0ff381fd17a3dbdeab12b0f3d Mon Sep 17 00:00:00 2001 From: Przemyslaw Pawelczyk Date: Sat, 3 Dec 2016 17:30:17 +0100 Subject: [PATCH] community/slock: Upgrade to 1.4. Modernize APKBUILD. To: soeren+alpine@soeren-tempel.net Cc: alpine-aports@lists.alpinelinux.org Removed patches, because they're already included in new version: - 0001-clear-passwords-with-explicit_bzero.patch (commit a7afade) - CVE-2016-6866.patch (commit d8bec0f). While make supports changing directories via -C option, we have a convention to change directory to "$builddir" during most stages like prepare(), build() and package(). (default_prepare() guarantees that we end up in "$builddir", but only if there are patches, which is incosistent and should be fixed upstream.) Having one variable assignment per line in commands makes any possible future changes simply much more visible and eases inspecting. Adding || return 1 for last command in function, which was already present in this APKBUILD, is not really needed, because function returns with the exit code of the last command, but I call it a good pattern, even if a bit verbose, because it prevents forgetting adding it if previously last command in function stops being the last one after changes. Adding || return 1 for last command in function makes the code more consistent also from behavioral point of view, because command may fail and return various exit codes, but they're semantically incomprehensible for abuild, yet in future abuild may distinguish various kinds of errors (for better reporting in the build process), thus external exit codes are better overwritten by our own. --- .../0001-clear-passwords-with-explicit_bzero.patch | 146 --------------------- community/slock/APKBUILD | 50 +++---- community/slock/CVE-2016-6866.patch | 43 ------ 3 files changed, 25 insertions(+), 214 deletions(-) delete mode 100644 community/slock/0001-clear-passwords-with-explicit_bzero.patch delete mode 100644 community/slock/CVE-2016-6866.patch diff --git a/community/slock/0001-clear-passwords-with-explicit_bzero.patch b/community/slock/0001-clear-passwords-with-explicit_bzero.patch deleted file mode 100644 index 69b6485c0777..000000000000 --- a/community/slock/0001-clear-passwords-with-explicit_bzero.patch +++ /dev/null @@ -1,146 +0,0 @@ -From a7afade1701a809f6a33b53525d59dd29b38d381 Mon Sep 17 00:00:00 2001 -From: Hiltjo Posthuma -Date: Sun, 31 Jul 2016 13:43:00 +0200 -Subject: [PATCH] clear passwords with explicit_bzero - -Make sure to explicitly clear memory that is used for password input. memset -is often optimized out by the compiler. - -Brought to attention by the OpenBSD community, see: -https://marc.info/?t=146989502600003&r=1&w=2 -Thread subject: x11/slock: clear passwords with explicit_bzero - -Changes: - -- explicit_bzero.c import from libressl-portable. -- Makefile: add COMPATSRC for compatibility src. -- config.mk: add separate *BSD section in config.mk to simply uncomment it on - these platforms. ---- - Makefile | 6 +++--- - config.mk | 4 ++++ - explicit_bzero.c | 19 +++++++++++++++++++ - slock.c | 8 ++++++-- - util.h | 2 ++ - 5 files changed, 34 insertions(+), 5 deletions(-) - create mode 100644 explicit_bzero.c - create mode 100644 util.h - -diff --git a/Makefile b/Makefile -index 86b3437..8b3e248 100644 ---- a/Makefile -+++ b/Makefile -@@ -3,7 +3,7 @@ - - include config.mk - --SRC = slock.c -+SRC = slock.c ${COMPATSRC} - OBJ = ${SRC:.c=.o} - - all: options slock -@@ -35,8 +35,8 @@ clean: - dist: clean - @echo creating dist tarball - @mkdir -p slock-${VERSION} -- @cp -R LICENSE Makefile README config.def.h config.mk ${SRC} slock.1 \ -- slock-${VERSION} -+ @cp -R LICENSE Makefile README config.def.h config.mk ${SRC} \ -+ explicit_bzero.c slock.1 slock-${VERSION} - @tar -cf slock-${VERSION}.tar slock-${VERSION} - @gzip slock-${VERSION}.tar - @rm -rf slock-${VERSION} -diff --git a/config.mk b/config.mk -index f93879e..3afc061 100644 ---- a/config.mk -+++ b/config.mk -@@ -18,9 +18,13 @@ LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr - CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H - CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} - LDFLAGS = -s ${LIBS} -+COMPATSRC = explicit_bzero.c - - # On *BSD remove -DHAVE_SHADOW_H from CPPFLAGS and add -DHAVE_BSD_AUTH - # On OpenBSD and Darwin remove -lcrypt from LIBS -+#LIBS = -L/usr/lib -lc -L${X11LIB} -lX11 -lXext -lXrandr -+#CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_BSD_AUTH -D_BSD_SOURCE -+#COMPATSRC = - - # compiler and linker - CC = cc -diff --git a/explicit_bzero.c b/explicit_bzero.c -new file mode 100644 -index 0000000..3e33ca8 ---- /dev/null -+++ b/explicit_bzero.c -@@ -0,0 +1,19 @@ -+/* $OpenBSD: explicit_bzero.c,v 1.3 2014/06/21 02:34:26 matthew Exp $ */ -+/* -+ * Public domain. -+ * Written by Matthew Dempsky. -+ */ -+ -+#include -+ -+__attribute__((weak)) void -+__explicit_bzero_hook(void *buf, size_t len) -+{ -+} -+ -+void -+explicit_bzero(void *buf, size_t len) -+{ -+ memset(buf, 0, len); -+ __explicit_bzero_hook(buf, len); -+} -diff --git a/slock.c b/slock.c -index c9cdee2..a00fbb9 100644 ---- a/slock.c -+++ b/slock.c -@@ -23,6 +23,8 @@ - #include - #endif - -+#include "util.h" -+ - enum { - INIT, - INPUT, -@@ -135,7 +137,7 @@ readpw(Display *dpy, const char *pws) - * timeout. */ - while (running && !XNextEvent(dpy, &ev)) { - if (ev.type == KeyPress) { -- buf[0] = 0; -+ explicit_bzero(&buf, sizeof(buf)); - num = XLookupString(&ev.xkey, buf, sizeof(buf), &ksym, 0); - if (IsKeypadKey(ksym)) { - if (ksym == XK_KP_Enter) -@@ -161,14 +163,16 @@ readpw(Display *dpy, const char *pws) - XBell(dpy, 100); - failure = True; - } -+ explicit_bzero(&passwd, sizeof(passwd)); - len = 0; - break; - case XK_Escape: -+ explicit_bzero(&passwd, sizeof(passwd)); - len = 0; - break; - case XK_BackSpace: - if (len) -- --len; -+ passwd[len--] = 0; - break; - default: - if (num && !iscntrl((int)buf[0]) && (len + num < sizeof(passwd))) { -diff --git a/util.h b/util.h -new file mode 100644 -index 0000000..6f748b8 ---- /dev/null -+++ b/util.h -@@ -0,0 +1,2 @@ -+#undef explicit_bzero -+void explicit_bzero(void *, size_t); --- -2.9.3 - diff --git a/community/slock/APKBUILD b/community/slock/APKBUILD index 2ebcc9759c38..07e3831cb4c3 100644 --- a/community/slock/APKBUILD +++ b/community/slock/APKBUILD @@ -1,50 +1,50 @@ # Contributor: Sören Tempel # Maintainer: Sören Tempel pkgname=slock -pkgver=1.3 -pkgrel=3 +pkgver=1.4 +pkgrel=0 pkgdesc="A simple screen locker for X" url="http://tools.suckless.org/slock/" arch="all" license="MIT" -depends="" -depends_dev="" makedepends="libxext-dev libxrandr-dev linux-headers" -install="" options="suid" subpackages="$pkgname-doc" -source="http://dl.suckless.org/tools/$pkgname-$pkgver.tar.gz - 0001-clear-passwords-with-explicit_bzero.patch - CVE-2016-6866.patch" +source="http://dl.suckless.org/tools/$pkgname-$pkgver.tar.gz" # secfixes: # 1.3-r3: # - CVE-2016-6866 builddir="$srcdir/$pkgname-$pkgver" + prepare() { - default_prepare || return 1 - sed -i -e '/CFLAGS/{s/-Os//;s/=/+=/}' \ - -e '/LDFLAGS/{s/-s//;s/=/+=/}' \ - "$builddir"/config.mk || return 1 + cd "$builddir" + default_prepare \ + || return 1 + sed -i \ + -e '/CFLAGS/{s/-Os//;s/=/+=/}' \ + -e '/LDFLAGS/{s/-s//;s/=/+=/}' \ + config.mk \ + || return 1 } build() { - make X11INC=/usr/include/X11 X11LIB=/usr/lib/X11 \ - -C "$builddir" || return 1 + cd "$builddir" + make \ + X11INC=/usr/include/X11 \ + X11LIB=/usr/lib/X11 \ + || return 1 } package() { - make PREFIX=/usr DESTDIR="$pkgdir" \ - -C "$builddir" install || return 1 + cd "$builddir" + make install \ + DESTDIR="$pkgdir" \ + PREFIX=/usr \ + || return 1 } -md5sums="825aaeccba9b3b3c1f3d249d47c1396a slock-1.3.tar.gz -ca1f6e27e0b86101964c3a0d196d6520 0001-clear-passwords-with-explicit_bzero.patch -711f1a1810898958559b3f7515c81b72 CVE-2016-6866.patch" -sha256sums="bab4a3aea4046aa0fd0361c3649b79b90ca531bc5dfae3c4a6c0fe436152bd18 slock-1.3.tar.gz -4ed77e1955536f4d9cbb104a197a129f1abf0686088cff299ee72537eea56905 0001-clear-passwords-with-explicit_bzero.patch -ca37f6b759199128564599525176726af8a137247910bedd154fa5c95ba35f39 CVE-2016-6866.patch" -sha512sums="5024588f6d25f9d72a9d2b8ef9d8a2a94e5d5e53f30f4a15df83b693a3706b1ad6550422f36af29f54429a9c516d14a349e46aeb9896c6e32009ff0da5c02a8f slock-1.3.tar.gz -3b7f03c135694de6aa145587ec272ed21047c2a51e448011cb51ad447a39973a7ec9d760f42aca4dc0d22904b78b2668ffeab4c0a9d24cd6b6af88bb95cdaf38 0001-clear-passwords-with-explicit_bzero.patch -919cb98e6ae95855be5dd23fcfc122c5eb15272f16a6c1abbde2339247473aa3d7685461fb38f4e6cff5f12887a36859b081d06033d8cace5a2b762558e7357a CVE-2016-6866.patch" +md5sums="f91dd5ba50ce7bd1842caeca067086a3 slock-1.4.tar.gz" +sha256sums="b53849dbc60109a987d7a49b8da197305c29307fd74c12dc18af0d3044392e6a slock-1.4.tar.gz" +sha512sums="ad285360dd3f16a225159abaf2f82fabf2c675bd74478cf717f68cbe5941a6c620e3c88544ce675ce3ff19af4bb0675c9405685e0f74ee4e84f7d34c61a0532f slock-1.4.tar.gz" diff --git a/community/slock/CVE-2016-6866.patch b/community/slock/CVE-2016-6866.patch deleted file mode 100644 index f44bbbd54055..000000000000 --- a/community/slock/CVE-2016-6866.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d8bec0f6fdc8a246d78cb488a0068954b46fcb29 Mon Sep 17 00:00:00 2001 -From: Markus Teich -Date: Tue, 30 Aug 2016 22:59:06 +0000 -Subject: fix CVE-2016-6866 - ---- -diff --git a/slock.c b/slock.c -index 847b328..8ed59ca 100644 ---- a/slock.c -+++ b/slock.c -@@ -123,7 +123,7 @@ readpw(Display *dpy) - readpw(Display *dpy, const char *pws) - #endif - { -- char buf[32], passwd[256]; -+ char buf[32], passwd[256], *encrypted; - int num, screen; - unsigned int len, color; - KeySym ksym; -@@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws) - #ifdef HAVE_BSD_AUTH - running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd); - #else -- running = !!strcmp(crypt(passwd, pws), pws); -+ errno = 0; -+ if (!(encrypted = crypt(passwd, pws))) -+ fprintf(stderr, "slock: crypt: %s\n", strerror(errno)); -+ else -+ running = !!strcmp(encrypted, pws); - #endif - if (running) { - XBell(dpy, 100); -@@ -312,6 +316,8 @@ main(int argc, char **argv) { - - #ifndef HAVE_BSD_AUTH - pws = getpw(); -+ if (strlen(pws) < 2) -+ die("slock: failed to get user password hash.\n"); - #endif - - if (!(dpy = XOpenDisplay(NULL))) --- -cgit v0.9.0.3-65-g4555 -- 2.8.3