Package: lxterminal Version: 0.3.0-1 Severity: grave Tags: upstream patch security Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This vulnerability is discussed in a Stackexchange website: https://unix.stackexchange.com/questions/333539/lxterminal-in-the-netstat-output/333578 The socket placed in /tmp is predictable and public-writable, Therefore if Alice placed a file or lxterminal socket in /tmp/.lxterminal-socket:0-bob, bob is unable to open lxterminal, or open a lxterminal instance for Alice. This bug is fixed in the commit: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lxterminal depends on: ii libatk1.0-0 2.22.0-1 ii libc6 2.24-10 ii libcairo2 1.14.8-1 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgdk-pixbuf2.0-0 2.36.5-2 ii libglib2.0-0 2.50.3-2 ii libgtk2.0-0 2.24.31-2 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libpangoft2-1.0-0 1.40.5-1 ii libvte9 1:0.28.2-5+b2 ii libx11-6 2:1.6.4-3 ii libxext6 2:1.3.3-1+b2 lxterminal recommends no packages. lxterminal suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkQbdkOHG13ZWlAbHhk ZS5vcmcACgkQz7v84LdPGxSZuA/+NEEhU73k2esU8FveOzTc0ei0b5NLC2y5zvY/ /To8BTaUJAQE3J1icvgV3JRPJI8YOin5Ombz1n+4URt+f17G00mWplyGQgFiXcKP oooPl93If2rfi3POFM3MoC6grRc5UdwpUcTimwaX4OEE/PUZNHnfoNI2pWPk0Z34 AcGVqbJzxagpqzwvzsjjHC2EOncSeTfm2nZzUIwWfXV+LdGgq2Sf2oyaAYH/QnuV bvGAGgCZCNFejn9m3VHA7SIEU8AV+/FaJ/8sT5WJIyWWBoEBkcig50Ya5UG71zVq VTixWAbnCLhfQ44xKsFvGD+h6LH4c6qgQxnxk16yQrUOAZsIFHDuc9xIMBJtGLJt G3hZFY7x0sry4GVgHdqDvxI51UgWuZuUJNTTtXOuu0Yno0gcwY8TCC3QBtIk+4kQ 61tTbNoho7wTjn8reY+SgcUXeLdUAbKXdcv3IOp25LmiPLHV5dGfnRXH8Gw/ZQCz B9Tli0Ge3yNXaC0MJzgyaopNPdqzBNII5IWwfjknVy6K6uQCiHx9UCbOfxDre9sp DbgENkagS5P8+lNVOtGHr55n/2bg+kKLOztOKBBp0vqdwaKnKAuE0BZfOx78msgs P+vGhzOARu/y2V/n4AAPPiE9SlRZIQg+oX1+5syzXiRD2dLOUbXqRLmVZwaqLsKG 0oN43Nk= =fmHh -----END PGP SIGNATURE-----