You are not logged in.
hi,
don't know whether this is worth reporting a bug into https://bugs.archlinux.org .
maybe this could be an upstream issue:
when a user starts xtrlock, the screen gets locked as expected.
if the user's account has been locked by root meanwhile / before
( passwd -l $user --> "!" prefix in /etc/shadow ),
xtrlock segfaults on any non-zero length input followed by <return>.
so anyone can bypass authentication for locked users.
dmesg shows:
xtrlock[1034]: segfault at 0 ip b750f3b7 sp bf97b6cc error 4 in libc-2.24.so[b73d0000+1b2000]
$arch is x86, xtrlock is V2.8 , glibc is V2.24
could anybody try/confirm this ?
thanks a lot
Offline
--- xtrlock.c.bak 2017-03-10 22:31:10.895989318 +0100
+++ xtrlock.c 2017-03-10 22:45:25.974643164 +0100
@@ -67,7 +67,8 @@ int passwordok(const char *s) {
#else
/* simpler, and should work with crypt() algorithms using longer
salt strings (like the md5-based one on freebsd). --marekm */
- return !strcmp(crypt(s, pw->pw_passwd), pw->pw_passwd);
+ char *encr = crypt(s, pw->pw_passwd);
+ return encr && !strcmp(encr, pw->pw_passwd);
#endif
}
Online