Bug#862150: unblock: lxterminal/0.3.0-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#862150: unblock: lxterminal/0.3.0-1
From: Yao Wei (魏銘廷) <mwei@lxde.org>
Date: Tue, 09 May 2017 13:37:33 +0800
Message-id: <[🔎] 149430825344.29035.60573424999908219.reportbug@madoka.m-wei.net>
Reply-to: Yao Wei (魏銘廷) <mwei@lxde.org>, 862150@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package lxterminal

This will introduce 2 bugfixes, one of which is security fix:
* #862098 (grave) - lxterminal: CVE-2016-10369: socket can be blocked by
  another user
* #862096 (important) - lxterminal: unable to rename tabs

unblock lxterminal/0.3.0-1

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRVZoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxTbFw//UzTl3nO9xRl/K4fNDFAim1jj0MNXMRLn8mh0
qxJmeXHJgSjUVStrEaBaMFXivragOR3EcM6NYXaxOpwnugkWi4Te3s9F5g9DYy9c
T+S4B1W5A8HQ113o98xgObmCMYIH6/3uB7H0JxvQZHD6Zs2eWtCADoUDFvuet2Ji
k0qrHi27l/HzgrzPfYL9LGIeWnie6OajyenJTNt5fP3oY/aTxPMGpLQ5u+/zmD3Q
azIAcDB+Rxgzv0l36hhY8bb1stO8Ca84G6WGJuG6Cy1gIFJuLZsYCFKCIG1h4hqe
QE9cGZU23wLNbJYoOxFafZkwmHnqs0Q0uumgKoqZyozGeG/Csq37z68XhX87KTcJ
aZuQO/aYMTAEr/HUjtuNDQv2J2nk/1bvHES/9SV4N8cVGMYQ3IHEUCOomEeRixsU
K3rYQB67aHsahBX23zK7WNNyB1gvwgPBK+oFtPPmFxO/Be6Dmb0wSqxgQtzyWqP0
vOUakmlXxC5xPrt3G4YubPVAvYTWUfBkPdQ0w3UprlKAW+xvvi4idMw3S6WO9rjG
KUR6gE/KIq24ef6fq/GG7Md7dZrPjg/B8BDGz2m7rwmtbXe68nKszA37LUd3Pstf
nUWP9SHNNlV5A13c0bN9DSIApEGG4c7/EFWNwmi2jpmL3amyBISwX/UwpDrFxBa7
jQb+0fU=
=f07Y
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.3.0/debian/changelog lxterminal-0.3.0/debian/changelog
--- lxterminal-0.3.0/debian/changelog	2016-12-21 05:44:54.000000000 +0800
+++ lxterminal-0.3.0/debian/changelog	2017-05-09 12:13:07.000000000 +0800
@@ -1,3 +1,11 @@
+lxterminal (0.3.0-2) unstable; urgency=high
+
+  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
+    (Closes: #862098)
+  * Fix tab renaming dialog. (Closes: #862096)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org>  Tue, 09 May 2017 12:13:07 +0800
+
 lxterminal (0.3.0-1) unstable; urgency=medium
 
   * Enabling parallel build (pass --parallel to dh).
diff -Nru lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,21 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..df5b737 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,7 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff
--- lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,22 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: tab name renaming
+
+* fix: display dialog buttons for changing tab name
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=e2ad448556ee0f78ebdd0e36dc16e96702326fb6
+Bug: https://github.com/lxde/lxterminal/issues/30
+Bug-Debian: http://bugs.debian.org/862096
+
+--- a/src/lxterminal.c
++++ b/src/lxterminal.c
+@@ -573,8 +573,8 @@
+         _("Name Tab"),
+         GTK_WINDOW(terminal->window),
+         0,
+-        NULL, GTK_RESPONSE_CANCEL,
+-        NULL, GTK_RESPONSE_OK,
++        _("_Cancel"), GTK_RESPONSE_CANCEL,
++        _("_OK"), GTK_RESPONSE_OK,
+         NULL);
+     gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+     if (gtk_icon_theme_has_icon(gtk_icon_theme_get_default(), "lxterminal"))
diff -Nru lxterminal-0.3.0/debian/patches/series lxterminal-0.3.0/debian/patches/series
--- lxterminal-0.3.0/debian/patches/series	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/series	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,2 @@
+01-cve-2016-10369.diff
+02-fix-tab-name-dialog.diff

Reply to:

Follow-Ups:
- Bug#862150: unblock: lxterminal/0.3.0-2
  - From: Yao Wei <mwei@lxde.org>
- Bug#862150: marked as done (unblock: lxterminal/0.3.0-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#862122: marked as done (unblock: ssl-cert/1.0.39)
Next by Date: Processed: Re: unblock: lxterminal/0.3.0-1
Previous by thread: Re: Upgrade from Debian 8.6 to 8.8
Next by thread: Bug#862150: unblock: lxterminal/0.3.0-2
Index(es):
- Date
- Thread