Red Hat Bugzilla – Bug 985540
CVE-2013-4143 xlockmore: NULL pointer dereference leads to crash and bypass of screen lock
Last modified: 2016-03-04 06:53:36 EST
It was reported , that xlockmore 5.43 fixes a NULL pointer dereference in situations where the crypt() call fails (the release notes indicate this is possible with glibc starting with version 2.17 due to crypt() failures returning EINVAL with a NULL return in certain situations). This could cause xlock to crash, which would allow for local users to obtain access to a locked desktop they would normally require a password to access.
A patch  is available.
This affects Fedora 19 as it provides glibc 2.17. Earlier versions are not affected.
Created xlockmore tracking bugs for this issue:
Affects: fedora-19 [bug 985542]
The CVE identifier of CVE-2013-4143 has been assigned to this issue:
xlockmore-5.43-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
xlockmore-5.43-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.