[xlockmore] fixed "CVE-2012-4524 xlockmore: Screensaver crash (screen lock bypass) when 'dclock' mode used" (#86

Thu Oct 18 15:36:52 UTC 2012

commit fc2570aa46676d4c72135ea7a9aa94c958b8f750
Author: Adrian Reber <adrian at lisas.de>
Date:   Thu Oct 18 17:36:47 2012 +0200

    fixed "CVE-2012-4524 xlockmore: Screensaver crash (screen lock bypass) when 'dclock' mode used" (#867908)

 patch-modes_dclock.patch |   53 ++++++++++++++++++++++++++++++++++++++++++++++
 xlockmore.spec           |    7 +++++-
 2 files changed, 59 insertions(+), 1 deletions(-)
---

diff --git a/patch-modes_dclock.patch b/patch-modes_dclock.patch
new file mode 100644
index 0000000..e4fa9a4
--- /dev/null
+++ b/patch-modes_dclock.patch
@@ -0,0 +1,53 @@
+--- modes/dclock.c.orig	2012-01-23 13:19:21.000000000 +0000
++++ modes/dclock.c
+@@ -376,11 +376,11 @@ static dclockstruct *dclocks = (dclockst
+ extern char *message;
+ 
+ static unsigned long
+-timeAtLastNewYear(long timeNow)
++timeAtLastNewYear(time_t timeNow)
+ {
+ 	struct tm *t;
+ 
+-	t = localtime((const time_t *) &timeNow);
++	t = localtime(&timeNow);
+ 	return (unsigned long)(t->tm_year);
+ }
+ 
+@@ -420,7 +420,7 @@ convert(double x, char *string)
+ }
+ 
+ static void
+-dayhrminsec(long timeCount, int tzoffset, char *string)
++dayhrminsec(time_t timeCount, int tzoffset, char *string)
+ {
+ 	int days, hours, minutes, secs;
+ 	int bufsize, i;
+@@ -675,7 +675,7 @@ drawDclock(ModeInfo * mi)
+ 				"%a %b %d %Y", localtime(&(dp->timeold)));
+ 		}
+ 	  } else {
+-		long timeNow, timeLocal;
++		time_t timeNow, timeLocal;
+ 		timeNow = seconds();
+ 		timeLocal = timeNow + dp->tzoffset;
+ 
+@@ -950,7 +950,7 @@ init_dclock(ModeInfo * mi)
+ {
+ 	Display *display = MI_DISPLAY(mi);
+ 	dclockstruct *dp;
+-	long timeNow, timeLocal;
++	time_t timeNow, timeLocal;
+ 	int i, j;
+ 
+ 	if (dclocks == NULL) {
+@@ -1252,7 +1252,7 @@ defined(MODE_dclock_mayan)
+ 			dayhrminsec(MAYAN_TIME_START - timeLocal, dp->tzoffset, dp->strnew[1]);
+ 			dp->strpta[1] = dp->strnew[1];
+ 		} else {
+-			struct tm *t = localtime((const time_t *) &timeLocal);
++			struct tm *t = localtime(&timeLocal);
+ 
+ 			if (dp->time24)
+ 			  (void) strftime(dp->strnew[0], STRSIZE, "%H:%M:%S", t);
+
diff --git a/xlockmore.spec b/xlockmore.spec
index b941d08..c451591 100644
--- a/xlockmore.spec
+++ b/xlockmore.spec
@@ -1,11 +1,12 @@
 Summary: Screen lock and screen saver
 Name: xlockmore
 Version: 5.40
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: BSD
 Group: Amusements/Graphics
 URL: http://www.tux.org/~bagleyd/xlockmore.html
 Source0: http://www.tux.org/~bagleyd/xlock/xlockmore-5.40/xlockmore-5.40.tar.bz2
+Patch0: patch-modes_dclock.patch
 BuildRequires: pam-devel
 BuildRequires: mesa-libGL-devel mesa-libGLU-devel
 BuildRequires: desktop-file-utils libXdmcp-devel
@@ -34,6 +35,7 @@ GTK based frontend for xlockmore.
 
 %prep
 %setup -q
+%patch0
 
 %{__sed} -i -e "s,/lib,/%{_lib},g" configure
 
@@ -104,6 +106,9 @@ desktop-file-install \
 %{_bindir}/xglock
 
 %changelog
+* Thu Oct 18 2012 Adrian Reber <adrian at lisas.de> - 5.40-3
+- fixed "CVE-2012-4524 xlockmore: Screensaver crash (screen lock bypass) when 'dclock' mode used" (#867908)
+
 * Thu Oct 18 2012 Adrian Reber <adrian at lisas.de> - 5.40-2
 - removed esound-devel BR
 
