https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c7 --- Comment #7 from Sebastian Krahmer <krahmer@novell.com> 2010-09-28 08:40:37 UTC --- We already audited vlock and didnt want to make it suid. Please see bnc#342924. The 11.2 vlock build at least is also wrong with its plugins. On x86_64, the binary looks in /usr/lib/vlock for plugins and scripts, but they are located in /usr/lib64/vlock. It is checking for / characters in pathnames, but I'd prefer to disable execution of plugins and scripts. Additionally theres a small bug: diff -rup vlock-2.2.2.orig//src/util.c vlock-2.2.2/src/util.c --- vlock-2.2.2.orig//src/util.c 2008-05-18 05:10:54.000000000 -0400 +++ vlock-2.2.2/src/util.c 2010-09-28 11:53:39.079325879 -0400 @@ -51,11 +51,11 @@ struct timespec *parse_seconds(const cha void fatal_error(const char *format, ...) { - char *error; + char *error = NULL; va_list ap; va_start(ap, format); if (vasprintf(&error, format, ap) < 0) - error = "error while formatting error message"; + error = strdup("error while formatting error message"); va_end(ap); fatal_error_free(error); } since fatal_error_free() would call free() on a string literal. Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.