Bug#862169: marked as done (jessie-pu: package lxterminal/0.2.0-1)

Debian Bug Tracking System Sat, 22 Jul 2017 05:23:27 -0700

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #862169,
regarding jessie-pu: package lxterminal/0.2.0-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862169: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862169
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'd like to upload a fix for CVE-2016-10369 to jessie.

CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRn5kOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxT8TQ//a7wIYT1/SdKVzKVvY+pdMjXCKV1UdlAucAqm
Tqo7VatIHhxj/0yv5DmtGG+bshAuqbmtmMRnITOt3FB5k3+Y+mT+ouGpDsTZFbgF
SIj/Z/XWDhsybgpS6AGjG2ERZtuDNH5LjcmyDTR0ZmkhC7RtDujdlSJUWx7PBnt1
O7zl1N6RCesitENpYgRMfmc7Gd+AjuP3hwOpOdTOt++WLIhoyHGXoR6EzIzQTYTM
p6aUSDwQcOOqtlPZHUuBi4qQukMmD5xyZ/6/hfdYGdKyqWkTM7Dl+UXcRhYZQmAc
BfxDO3GoV495AZkBmGafn67z2ryrtHICRynVVF3B5PRlL5Hx5uh/6ifB0iRmzHwd
djtfYvW5zwLsDCNIspnV3rw5ONTq6TSJYWy/bcsLL4fjuNCYsQsW6/xj5BnLP6qh
cIe0IBe+YPtD66pM9AO9zexakKvGR9L4WouzOxYcofN+YnKEUtUldMdVu0rorROj
qsTPrUlUc5eJMlWE6z4jL/9MZTevwCPHfuyKSN606DqaAI0uZn9Uh5AFzREmcU3/
b7RYcgDDqJqWpepu9FyE6lYnUsRA44L1GJek/fL0Cn+OGN8FMGTHfHT1pSNolWFs
ZbG6uSbTnBWj1LOJg7tHzau/u6BiPkpcmCLclfWZTa1+HAF/oRcJKJcqDTrisXb2
ieiUO4Q=
=ZPa6
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog   2014-10-22 06:18:50.000000000 +0800
+++ lxterminal-0.2.0/debian/changelog   2017-05-09 11:37:21.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+    (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <m...@lxde.org>  Tue, 09 May 2017 11:37:21 +0800
+
 lxterminal (0.2.0-1) unstable; urgency=low
 
   * Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 
lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff      1970-01-01 
08:00:00.000000000 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff      2017-05-09 
11:37:21.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <m...@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+      * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_get_display(), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series 
lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series      2014-10-22 05:56:19.000000000 
+0800
+++ lxterminal-0.2.0/debian/patches/series      2017-05-09 11:37:21.000000000 
+0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff

--- End Message ---

--- Begin Message ---

Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---

Bug#862169: marked as done (jessie-pu: package lxterminal/0.2.0-1)

Reply via email to