Date: Sunday, June 18, 2017 @ 09:15:09 Author: bgyorgy Revision: 238022
upgpkg: menu-cache 1.0.2-2 Fix CVE-2017-8933 (FS#54082) Added: menu-cache/trunk/Fix-CVE-2017-8933.patch Modified: menu-cache/trunk/PKGBUILD -------------------------+ Fix-CVE-2017-8933.patch | 71 ++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 13 ++++++-- 2 files changed, 81 insertions(+), 3 deletions(-) Added: Fix-CVE-2017-8933.patch =================================================================== --- Fix-CVE-2017-8933.patch (rev 0) +++ Fix-CVE-2017-8933.patch 2017-06-18 09:15:09 UTC (rev 238022) @@ -0,0 +1,71 @@ +From 56f66684592abf257c4004e6e1fff041c64a12ce Mon Sep 17 00:00:00 2001 +From: Andriy Grytsenko <[email protected]> +Date: Sun, 14 May 2017 21:28:00 +0300 +Subject: [PATCH] Fix potential access violation, use runtime user dir instead + of tmp dir. + +Note: it limits libmenu-cache compatibility to menu-cached >= 0.7.0. +--- + NEWS | 3 +++ + libmenu-cache/menu-cache.c | 7 ++++++- + menu-cache-daemon/menu-cached.c | 3 +++ + 3 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index f7f12e6..6177e9d 100644 +--- a/NEWS ++++ b/NEWS +@@ -3,6 +3,9 @@ + * Added new API menu_cache_app_get_generic_name() to get generic + name for application. + ++* Fixed potential access violation, use runtime user dir instead of tmp dir. ++ It limits libmenu-cache compatibility to menu-cached >= 0.7.0. ++ + + Changes in 1.0.2 since 1.0.1: + +diff --git a/libmenu-cache/menu-cache.c b/libmenu-cache/menu-cache.c +index 9e3e0db..d914127 100644 +--- a/libmenu-cache/menu-cache.c ++++ b/libmenu-cache/menu-cache.c +@@ -3,7 +3,7 @@ + * + * Copyright 2008 PCMan <[email protected]> + * Copyright 2009 Jürgen Hötzel <[email protected]> +- * Copyright 2012-2015 Andriy Grytsenko (LStranger) <[email protected]> ++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <[email protected]> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -1538,8 +1538,13 @@ static void get_socket_name( char* buf, int len ) + if(*p) + *p = '\0'; + } ++#if GLIB_CHECK_VERSION(2, 28, 0) ++ g_snprintf( buf, len, "%s/menu-cached-%s", g_get_user_runtime_dir(), ++ dpy ? dpy : ":0" ); ++#else + g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(), + dpy ? dpy : ":0", g_get_user_name() ); ++#endif + g_free(dpy); + } + +diff --git a/menu-cache-daemon/menu-cached.c b/menu-cache-daemon/menu-cached.c +index a6895ee..c100484 100644 +--- a/menu-cache-daemon/menu-cached.c ++++ b/menu-cache-daemon/menu-cached.c +@@ -473,6 +473,9 @@ static void get_socket_name( char* buf, int len ) + if(*p) + *p = '\0'; + } ++ /* NOTE: this socket name is incompatible with versions > 1.0.2, ++ although this function is never used since 0.7.0 but ++ libmenu-cache always requests exact socket name instead */ + g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(), + dpy ? dpy : ":0", g_get_user_name() ); + g_free(dpy); +-- +2.1.4 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-06-18 08:57:04 UTC (rev 238021) +++ PKGBUILD 2017-06-18 09:15:09 UTC (rev 238022) @@ -6,7 +6,7 @@ pkgname=menu-cache pkgver=1.0.2 -pkgrel=1 +pkgrel=2 pkgdesc='Caching mechanism for freedesktop.org compliant menus' arch=('i686' 'x86_64') license=('GPL2') @@ -13,9 +13,16 @@ url='http://lxde.org/' depends=('libfm-extra') makedepends=('gtk-doc') -source=(https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz) -sha256sums=('6f83edf2de34f83e701dcb52145d755250a5677580cd413476cc4d7f2d2012d5') +source=(https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz + Fix-CVE-2017-8933.patch) +sha256sums=('6f83edf2de34f83e701dcb52145d755250a5677580cd413476cc4d7f2d2012d5' + 'd0ee65717d07ae423bac48d0676989cec624674bdacd3619f5d9fcc64c9e5796') +prepare() { + cd $pkgname-$pkgver + patch -Np1 -i ../Fix-CVE-2017-8933.patch +} + build() { cd $pkgname-$pkgver ./configure --prefix=/usr --sysconfdir=/etc \
