xlockmore User Supplied Format String Vulnerability

Solution:
Jeremy Buhler <jbuhler@cs.washington.edu> has released a patch which eliminates this vulnerability and is now shipped with xlockmore 4.17.1 and later versions. The following is the relevant fixed code.

void
error(const char *buf)
{
#if defined( HAVE_SYSLOG_H ) && defined( USE_SYSLOG )
extern Display *dsp;

syslog(SYSLOG_WARNING, "%s", buf);
if (!nolock) {
if (strstr(buf, "unable to open display") == NULL)
syslogStop(XDisplayString(dsp));
else
syslogStop("unknown display");
closelog();
}
#else
(void) fprintf(stderr, "%s", buf);
#endif
exit(1);
}

Patches are available for Debian Linux 2.1 and 2.2.

Patches are available for the FreeBSD ports version of xlockmore.


David Bagley xlock 4.16

David Bagley xlock 4.16.1


 

Privacy Statement
Copyright 2010, SecurityFocus