It was reported [1],[2] that xlockmore 5.43 fixes a NULL pointer dereference in situations where the crypt() call fails (the release notes indicate this is possible with glibc starting with version 2.17 due to crypt() failures returning EINVAL with a NULL return in certain situations). This could cause xlock to crash, which would allow for local users to obtain access to a locked desktop they would normally require a password to access. A patch [3] is available. This affects Fedora 19 as it provides glibc 2.17. Earlier versions are not affected. [1] http://www.tux.org/~bagleyd/xlock/xlockmore.README [2] http://www.openwall.com/lists/oss-security/2013/07/16/8 [3] http://sourceforge.net/projects/miscellaneouspa/files/glibc217/xlockmore-5.42-glibc217-crypt.diff
Created xlockmore tracking bugs for this issue: Affects: fedora-19 [bug 985542]
The CVE identifier of CVE-2013-4143 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/07/18/6
xlockmore-5.43-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
xlockmore-5.43-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.