Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'd like to upload a fix for CVE-2016-10369 to jessie.
CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).
- -- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRn5kOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxT8TQ//a7wIYT1/SdKVzKVvY+pdMjXCKV1UdlAucAqm
Tqo7VatIHhxj/0yv5DmtGG+bshAuqbmtmMRnITOt3FB5k3+Y+mT+ouGpDsTZFbgF
SIj/Z/XWDhsybgpS6AGjG2ERZtuDNH5LjcmyDTR0ZmkhC7RtDujdlSJUWx7PBnt1
O7zl1N6RCesitENpYgRMfmc7Gd+AjuP3hwOpOdTOt++WLIhoyHGXoR6EzIzQTYTM
p6aUSDwQcOOqtlPZHUuBi4qQukMmD5xyZ/6/hfdYGdKyqWkTM7Dl+UXcRhYZQmAc
BfxDO3GoV495AZkBmGafn67z2ryrtHICRynVVF3B5PRlL5Hx5uh/6ifB0iRmzHwd
djtfYvW5zwLsDCNIspnV3rw5ONTq6TSJYWy/bcsLL4fjuNCYsQsW6/xj5BnLP6qh
cIe0IBe+YPtD66pM9AO9zexakKvGR9L4WouzOxYcofN+YnKEUtUldMdVu0rorROj
qsTPrUlUc5eJMlWE6z4jL/9MZTevwCPHfuyKSN606DqaAI0uZn9Uh5AFzREmcU3/
b7RYcgDDqJqWpepu9FyE6lYnUsRA44L1GJek/fL0Cn+OGN8FMGTHfHT1pSNolWFs
ZbG6uSbTnBWj1LOJg7tHzau/u6BiPkpcmCLclfWZTa1+HAF/oRcJKJcqDTrisXb2
ieiUO4Q=
=ZPa6
-----END PGP SIGNATURE-----
diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.000000000 +0800
+++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high
+
+ * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+ (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org> Tue, 09 May 2017 11:37:21 +0800
+
lxterminal (0.2.0-1) unstable; urgency=low
* Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 2017-05-09 11:37:21.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+ * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+
+ /* Formulate the path for the Unix domain socket. */
+- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
++ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series 2014-10-22 05:56:19.000000000 +0800
+++ lxterminal-0.2.0/debian/patches/series 2017-05-09 11:37:21.000000000 +0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff
Reply to: