Debian 9844 Published by

The following two updates has been released for Debian 7 LTS:

[DLA 598-1] suckless-tools security update
[DLA 599-1] cracklib2 security update



[DLA 598-1] suckless-tools security update

Package : suckless-tools
Version : 38-2+deb7u1
CVE ID : CVE-2016-6866

It was discovered that the slock screen locking tool would segfault when the
user's account had been disabled.

slock called crypt(3) and used the return value for strcmp(3) without checking
to see if the return value of crypt(3) was a NULL pointer. If the hash returned
by (getspnam()->sp_pwdp) was invalid, crypt(3) would return NULL and set errno
to EINVAL. This would cause slock to segfault which leaves the machine
unprotected.

For Debian 7 "Wheezy", this issue has been fixed in suckless-tools version
38-2+deb7u1.

We recommend that you upgrade your suckless-tools packages.

[DLA 599-1] cracklib2 security update

Package : cracklib2
Version : 2.8.19-3+deb7u1
CVE ID : CVE-2016-6318
Debian Bug : 834502

It was discovered that there was a stack-based buffer overflow when
parsing large GECOS fields in cracklib2, a pro-active password checker
library.

For Debian 7 "Wheezy", this issue has been fixed in cracklib2 version
2.8.19-3+deb7u1.

We recommend that you upgrade your cracklib2 packages.