Ubuntu 22.04 LTS - swaylock -v 1.5 - lock screen bypasses

Regarding to redhat bug report this should be fixed with swaylock-1.6-1.fc34, which is not in Ubuntu 22.04.4 LTS

Focal (20.04) and Jammy (22.04) swaylock versions are affected https://ubuntu.com/security/CVE-2022-26530

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Hey @mdeslaur, I am not that advanced that I understand how to do this. I already tried building it from the dedicated repo https://github.com/swaywm/swaylock.

14:38:46 hostname : swaylock ((v1.7.2)) :)
> meson --reconfigure build/ --prefix=/home/user/bin/swaylock-bin
The Meson build system
Version: 1.4.0
Source dir: /home/user/bin/swaylock
Build dir: /home/user/bin/swaylock/build
Build type: native build
Project name: swaylock
Project version: 1.7.2
C compiler for the host machine: cc (gcc 11.4.0 "cc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0")
C linker for the host machine: cc ld.bfd 2.38
Host machine cpu family: x86_64
Host machine cpu: x86_64
Dependency wayland-client found: YES 1.20.0 (cached)
Dependency wayland-protocols found: YES 1.25 (cached)
Dependency wayland-scanner found: YES 1.20.0 (cached)
Dependency xkbcommon found: YES 1.4.0 (cached)
Dependency cairo found: YES 1.16.0 (cached)
Found pkg-config: YES (/usr/bin/pkg-config) 0.29.2
Found CMake: /usr/bin/cmake (3.22.1)
Run-time dependency gdk-pixbuf-2.0 found: NO (tried pkgconfig and cmake)
Library pam found: NO
Library crypt found: YES
Library m found: YES
Library rt found: YES
Program git found: YES (/usr/bin/git)
Program scdoc found: NO
Program /usr/bin/wayland-scanner found: YES (/usr/bin/wayland-scanner)
Configuring config.h using configuration
meson.build:118: WARNING: The swaylock binary must be setuid when compiled without libpam
meson.build:119: WARNING: You must do this manually post-install: chmod a+s /path/to/swaylock
Dependency bash-completion found: YES 2.11 (cached)
Run-time dependency fish found: NO (tried pkgconfig and cmake)
Build targets in project: 1

swaylock 1.7.2

  User defined options
    prefix: /home/user/bin/swaylock-bin

Found ninja-1.11.1.git.kitware.jobserver-1 at /usr/local/bin/ninja
WARNING: Running the setup command as `meson [options]` instead of `meson setup [options]` is ambiguous and deprecated.
14:38:53 hostname : swaylock ((v1.7.2)) :)
> ninja -C build
ninja: Entering directory `build'
[26/26] Linking target swaylock
14:39:12 hostname : swaylock ((v1.7.2)) :)
> sudo ninja -C build install
ninja: Entering directory `build'
[0/1] Installing files.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/mesonbuild/mesonmain.py", line 146, in run
    return options.run_func(options)
  File "/usr/lib/python3/dist-packages/mesonbuild/minstall.py", line 811, in run
    installer.do_install(datafilename)
  File "/usr/lib/python3/dist-packages/mesonbuild/minstall.py", line 564, in do_install
    d = self.check_installdata(pickle.load(ifile))
ModuleNotFoundError: No module named 'mesonbuild.utils'

ERROR: Unhandled python exception

    This is a Meson bug and should be reported!
FAILED: meson-internal__install
/home/user/.local/bin/meson install --no-rebuild
ninja: build stopped: subcommand failed.
14:39:20 hostname : swaylock ((v1.7.2)) :(
>

Greetings,
Sebastian

There is already a newer Version for Ubuntu 24.04 LTS available, which fixed this vulnerability:
swaylock (1.7.2-1build2):
* https://packages.ubuntu.com/noble/swaylock
* https://packages.ubuntu.com/noble/amd64/swaylock/download

Dependencies swaylock (1.7.2-1build2):
* libc6 (>= 2.34)
* libcairo2 (>= 1.2.4)
* libgdk-pixbuf-2.0-0 (>= 2.31.1)
* libglib2.0-0t64 (>= 2.12.0)
* libpam0g (>= 0.99.7.1)
* libwayland-client0 (>= 1.20.0)
* libxkbcommon0 (>= 0.5.0)

Compared to Ubuntu 22.04 LTS package:
swaylock (1.5-2ubuntu1):
* https://packages.ubuntu.com/jammy/swaylock
* https://packages.ubuntu.com/jammy/amd64/swaylock/download

Dependencies swaylock (1.5-2ubuntu1):
* libc6 (>= 2.28)
* libcairo2 (>= 1.2.4)
* libgdk-pixbuf-2.0-0 (>= 2.31.1)
* libglib2.0-0 (>= 2.12.0)
* libpam0g (>= 0.99.7.1)
* libwayland-client0 (>= 1.9.91)
* libxkbcommon0 (>= 0.5.0)

08:44:45 hostname : Downloads :)
> debdiff swaylock_1.5-2ubuntu1_amd64.deb swaylock_1.7.2-1build2_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: libc6 (>= [-2.28),-] {+2.34),+} libcairo2 (>= 1.2.4), libgdk-pixbuf-2.0-0 (>= 2.31.1), [-libglib2.0-0-] {+libglib2.0-0t64+} (>= 2.12.0), libpam0g (>= 0.99.7.1), libwayland-client0 (>= [-1.9.91),-] {+1.20.0),+} libxkbcommon0 (>= 0.5.0)
Installed-Size: [-111-] {+117+}
Version: [-1.5-2ubuntu1-] {+1.7.2-1build2+}

Any Update?