The screen locking application slock (http://tools.suckless.org/slock/) calls crypt(3) and uses the return value for strcmp(3) without checking to see if the return value of crypt(3) was a NULL pointer. If the hash returned by (getspnam()->sp_pwdp) is invalid, crypt(3) will return NULL and set errno to EINVAL. This will cause slock to segfault which then leaves the machine unprotected. References: http://seclists.org/oss-sec/2016/q3/328 http://s1m0n.dft-labs.eu/files/slock/
Created slock tracking bugs for this issue: Affects: fedora-all [bug 1368370]
Created attachment 1196223 [details] Upstream fix
slock-1.3-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
slock-1.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
slock-1.3-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.