Date: Sunday, June 18, 2017 @ 09:27:52 Author: bgyorgy Revision: 238028
upgpkg: lxterminal 0.3.0-2 Fix CVE-2016-10369 (FS#54081) Added: lxterminal/trunk/Fix-CVE-2016-10369.patch Modified: lxterminal/trunk/PKGBUILD --------------------------+ Fix-CVE-2016-10369.patch | 29 +++++++++++++++++++++++++++++ PKGBUILD | 13 ++++++++++--- 2 files changed, 39 insertions(+), 3 deletions(-) Added: Fix-CVE-2016-10369.patch =================================================================== --- Fix-CVE-2016-10369.patch (rev 0) +++ Fix-CVE-2016-10369.patch 2017-06-18 09:27:52 UTC (rev 238028) @@ -0,0 +1,29 @@ +From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001 +From: Yao Wei <[email protected]> +Date: Mon, 8 May 2017 00:47:55 +0800 +Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory + +This bug is pointed out by stackexchange user that putting socket file in +/tmp is a potential risk. Putting the socket dir in user directory could +mitigate the risk. +--- + src/unixsocket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/unixsocket.c b/src/unixsocket.c +index 4c660ac..f88284c 100644 +--- a/src/unixsocket.c ++++ b/src/unixsocket.c +@@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar + * This function returns TRUE if this process should keep running and FALSE if it should exit. */ + + /* Formulate the path for the Unix domain socket. */ +- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name()); ++ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default())); ++ printf("%s\n", socket_path); + + /* Create socket. */ + int fd = socket(PF_UNIX, SOCK_STREAM, 0); +-- +2.1.4 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-06-18 09:22:45 UTC (rev 238027) +++ PKGBUILD 2017-06-18 09:27:52 UTC (rev 238028) @@ -7,7 +7,7 @@ pkgbase=lxterminal pkgname=(lxterminal lxterminal-gtk3) pkgver=0.3.0 -pkgrel=1 +pkgrel=2 pkgdesc="VTE-based terminal emulator (part of LXDE)" arch=('i686' 'x86_64') license=('GPL2') @@ -14,9 +14,16 @@ url="http://lxde.org/"; depends=('vte' 'vte3') makedepends=('intltool') -source=(https://downloads.sourceforge.net/lxde/${pkgbase}-${pkgver}.tar.xz) -sha256sums=('2a424653565f04f4459cc86756e583f3107ca90e5e81250804dced5f8236c7f9') +source=(https://downloads.sourceforge.net/lxde/${pkgbase}-${pkgver}.tar.xz + Fix-CVE-2016-10369.patch) +sha256sums=('2a424653565f04f4459cc86756e583f3107ca90e5e81250804dced5f8236c7f9' + '9b0304b102c98812517e3db5e1439fad6290f2646d27adf79419cbaabb55a33b') +prepare() { + cd $pkgname-$pkgver + patch -Np1 -i ../Fix-CVE-2016-10369.patch +} + build() { # GTK+ 2 version [ -d gtk2 ] || cp -r $pkgbase-$pkgver gtk2
