[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#862170: marked as done (wheezy-pu: package lxterminal/0.1.11-4)

Your message dated Tue, 09 May 2017 12:27:22 +0100
with message-id <ec1c65fc82062637e9ccd326504f3867@mail.adam-barratt.org.uk>
and subject line Re: Bug#862170: wheezy-pu: package lxterminal/0.1.11-4
has caused the Debian Bug report #862170,
regarding wheezy-pu: package lxterminal/0.1.11-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862170: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862170
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'd like to upload a fix for CVE-2016-10369 to wheezy.

Attached is a rejected debdiff purposed for debian security team.

CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRopoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxRyqA//Z+2stjHuk/aGxRZD64xJXodH1cBXMD0zvwPj
ULeS21sE5i2Tg05KksBIm3ksFNaONhr6GvCoq88EiIPWxri/jEJDaPsbK842WlS9
DsCh7jdWpoyoto0MbpvNz7OrPrsUQI3d9kXqhQ9V/lRn582kVPgMxHf/Y5T25kvY
vGYEw8cXT2S/ZnMKrWYGnICdI0sfjK+O7NGpMAPfmgj0stYLN/5I5C8eT/P7LLY+
uPJrBuf/fowC88RwRpm6+wE2g1sL7gHMJ0N5cS68FABCuPztjzYqGUvT+oLp2rZ/
n0oIWiIC0fvllVS92D/jnxOhBxTNE7T6Iug858ZQkVe4Y2Y1GwrkEsRt/YcubHfV
f+yj0csLfu8xSFzyWlT05AJUcVgNGuXx7OLTCmoCGQOUPU+Awu9sYvvO/47ZRkfn
CJvbq06aym8Ca6M5gGuHLZHLmEYtl+a4crBu2OQQa6W/qiIgbeXouLw5bKaAnxHZ
DPdlUHdR0mygpgRo1skYKKBiwftVZuEUJ7mDRUJLi1IzeN2QukEUsGlxOZlfWXma
KAbOJcHyZkWl0mkXKQqhJc8UdOZIAgRov8LU3fizQE13+aWV7aPqtC430vLmrDPd
Tmzo+91oZm/UOn26fTo1OMs63kOX3laWOuQ+qssRkckOWpuWDeibEtibleAxE2AT
ZvF/1ow=
=V8rr
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.1.11/debian/changelog lxterminal-0.1.11/debian/changelog
--- lxterminal-0.1.11/debian/changelog	2012-05-19 01:30:00.000000000 +0800
+++ lxterminal-0.1.11/debian/changelog	2017-05-09 10:38:42.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.1.11-4+deb7u1) wheezy-security; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+    (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org>  Tue, 09 May 2017 10:38:42 +0800
+
 lxterminal (0.1.11-4) unstable; urgency=low
 
   * Moving package to priority optional.
diff -Nru lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff
--- lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff	2017-05-09 10:38:42.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -116,7 +116,7 @@
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.1.11/debian/patches/series lxterminal-0.1.11/debian/patches/series
--- lxterminal-0.1.11/debian/patches/series	2012-04-28 18:05:35.000000000 +0800
+++ lxterminal-0.1.11/debian/patches/series	2017-05-09 10:38:42.000000000 +0800
@@ -1 +1,2 @@
 01-fix-mnemonics.patch
+02-cve-2016-10369.diff

--- End Message ---
--- Begin Message --- 
On 2017-05-09 12:06, Yao Wei wrote:

I'd like to upload a fix for CVE-2016-10369 to wheezy.

Attached is a rejected debdiff purposed for debian security team.
Updates for wheezy are no longer managed by the Release Team, since the introduction of wheezy-lts. 

Please liaise with the LTS team regarding the update to wheezy.

Regards,

Adam

--- End Message ---
Reply to: