SECURITY

Fix local screen lock bypass vulnerability.
Debian bug #539699, from by David Fries.

x11/xscreensaver/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.56 2009/08/12 17:30:12 kili Exp $
+# $OpenBSD: Makefile,v 1.57 2009/08/20 07:03:15 ajacoutot Exp $
 
 COMMENT-main=		screen saver and locker for the X Window System
 COMMENT-data=		graphical demos (savers) for screensavers
@@ -6,7 +6,7 @@ COMMENT-gle=		OpenGL Extrusion library support for screensaver-data
 
 V=			5.08
 DISTNAME=		xscreensaver-${V}
-PKGNAME-main=		${DISTNAME}p0
+PKGNAME-main=		${DISTNAME}p1
 PKGNAME-data=		xscreensaver-data-${V}p0
 PKGNAME-gle=		xscreensaver-gle-${V}p1
 

x11/xscreensaver/patches/patch-driver_mlstring_c

@@ -0,0 +1,16 @@
+$OpenBSD: patch-driver_mlstring_c,v 1.1 2009/08/20 07:03:15 ajacoutot Exp $
+
+Fix local screen lock bypass vulnerability.
+Debian bug #539699.
+
+--- driver/mlstring.c.orig	Tue Apr 17 06:51:48 2007
++++ driver/mlstring.c	Thu Aug 20 08:59:21 2009
+@@ -153,6 +153,8 @@ mlstring_wrap(mlstring *mstring, XFontStruct *font, Di
+ 	  
+ 	  if (wrap_at == -1) /* No space found, hard wrap */
+ 	    wrap_at = line_length;
++	  else
++            wrap_at++; /* Leave space at the end of the line */
+ 
+ 	  newml = calloc(1, sizeof(*newml));
+ 	  if (!newml) /* OOM, don't bother trying to wrap */

x11/xscreensaver/pkg/PLIST-main

@@ -1,8 +1,8 @@
-@comment $OpenBSD: PLIST-main,v 1.3 2008/12/28 18:41:21 ajacoutot Exp $
+@comment $OpenBSD: PLIST-main,v 1.4 2009/08/20 07:03:15 ajacoutot Exp $
 @pkgpath x11/xscreensaver,no_gle
 @pkgpath x11/xscreensaver
 @mode 4755
-bin/xscreensaver
+@bin bin/xscreensaver
 @mode
 @bin bin/xscreensaver-command
 @bin bin/xscreensaver-demo