Your message dated Tue, 09 May 2017 21:28:58 +0000
with message-id <e1d8cgk-00032n...@respighi.debian.org>
and subject line unblock lxterminal
has caused the Debian Bug report #862150,
regarding unblock: lxterminal/0.3.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
862150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package lxterminal
This will introduce 2 bugfixes, one of which is security fix:
* #862098 (grave) - lxterminal: CVE-2016-10369: socket can be blocked by
another user
* #862096 (important) - lxterminal: unable to rename tabs
unblock lxterminal/0.3.0-1
- -- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRVZoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxTbFw//UzTl3nO9xRl/K4fNDFAim1jj0MNXMRLn8mh0
qxJmeXHJgSjUVStrEaBaMFXivragOR3EcM6NYXaxOpwnugkWi4Te3s9F5g9DYy9c
T+S4B1W5A8HQ113o98xgObmCMYIH6/3uB7H0JxvQZHD6Zs2eWtCADoUDFvuet2Ji
k0qrHi27l/HzgrzPfYL9LGIeWnie6OajyenJTNt5fP3oY/aTxPMGpLQ5u+/zmD3Q
azIAcDB+Rxgzv0l36hhY8bb1stO8Ca84G6WGJuG6Cy1gIFJuLZsYCFKCIG1h4hqe
QE9cGZU23wLNbJYoOxFafZkwmHnqs0Q0uumgKoqZyozGeG/Csq37z68XhX87KTcJ
aZuQO/aYMTAEr/HUjtuNDQv2J2nk/1bvHES/9SV4N8cVGMYQ3IHEUCOomEeRixsU
K3rYQB67aHsahBX23zK7WNNyB1gvwgPBK+oFtPPmFxO/Be6Dmb0wSqxgQtzyWqP0
vOUakmlXxC5xPrt3G4YubPVAvYTWUfBkPdQ0w3UprlKAW+xvvi4idMw3S6WO9rjG
KUR6gE/KIq24ef6fq/GG7Md7dZrPjg/B8BDGz2m7rwmtbXe68nKszA37LUd3Pstf
nUWP9SHNNlV5A13c0bN9DSIApEGG4c7/EFWNwmi2jpmL3amyBISwX/UwpDrFxBa7
jQb+0fU=
=f07Y
-----END PGP SIGNATURE-----
diff -Nru lxterminal-0.3.0/debian/changelog lxterminal-0.3.0/debian/changelog
--- lxterminal-0.3.0/debian/changelog 2016-12-21 05:44:54.000000000 +0800
+++ lxterminal-0.3.0/debian/changelog 2017-05-09 12:13:07.000000000 +0800
@@ -1,3 +1,11 @@
+lxterminal (0.3.0-2) unstable; urgency=high
+
+ * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
+ (Closes: #862098)
+ * Fix tab renaming dialog. (Closes: #862096)
+
+ -- Yao Wei (魏銘廷) <m...@lxde.org> Tue, 09 May 2017 12:13:07 +0800
+
lxterminal (0.3.0-1) unstable; urgency=medium
* Enabling parallel build (pass --parallel to dh).
diff -Nru lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff
lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff 1970-01-01
08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff 2017-05-09
12:13:07.000000000 +0800
@@ -0,0 +1,21 @@
+From: Yao Wei (魏銘廷) <m...@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream,
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..df5b737 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,7 @@ gboolean lxterminal_socket_initialize(LXTermWindow *
lxtermwin, gint argc, gchar
+ * This function returns TRUE if this process should keep running and
FALSE if it should exit. */
+
+ /* Formulate the path for the Unix domain socket. */
+- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s",
gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s",
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff
lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff
--- lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff 1970-01-01
08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff 2017-05-09
12:13:07.000000000 +0800
@@ -0,0 +1,22 @@
+From: Yao Wei (魏銘廷) <m...@lxde.org>
+Subject: fix: tab name renaming
+
+* fix: display dialog buttons for changing tab name
+
+Origin: upstream,
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=e2ad448556ee0f78ebdd0e36dc16e96702326fb6
+Bug: https://github.com/lxde/lxterminal/issues/30
+Bug-Debian: http://bugs.debian.org/862096
+
+--- a/src/lxterminal.c
++++ b/src/lxterminal.c
+@@ -573,8 +573,8 @@
+ _("Name Tab"),
+ GTK_WINDOW(terminal->window),
+ 0,
+- NULL, GTK_RESPONSE_CANCEL,
+- NULL, GTK_RESPONSE_OK,
++ _("_Cancel"), GTK_RESPONSE_CANCEL,
++ _("_OK"), GTK_RESPONSE_OK,
+ NULL);
+ gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ if (gtk_icon_theme_has_icon(gtk_icon_theme_get_default(), "lxterminal"))
diff -Nru lxterminal-0.3.0/debian/patches/series
lxterminal-0.3.0/debian/patches/series
--- lxterminal-0.3.0/debian/patches/series 1970-01-01 08:00:00.000000000
+0800
+++ lxterminal-0.3.0/debian/patches/series 2017-05-09 12:13:07.000000000
+0800
@@ -0,0 +1,2 @@
+01-cve-2016-10369.diff
+02-fix-tab-name-dialog.diff
--- End Message ---
--- Begin Message ---
Unblocked lxterminal.
--- End Message ---
