Bug#862150: unblock: lxterminal/0.3.0-1

魏銘廷 Mon, 08 May 2017 22:42:46 -0700

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package lxterminal

This will introduce 2 bugfixes, one of which is security fix:
* #862098 (grave) - lxterminal: CVE-2016-10369: socket can be blocked by
  another user
* #862096 (important) - lxterminal: unable to rename tabs

unblock lxterminal/0.3.0-1

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRVZoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxTbFw//UzTl3nO9xRl/K4fNDFAim1jj0MNXMRLn8mh0
qxJmeXHJgSjUVStrEaBaMFXivragOR3EcM6NYXaxOpwnugkWi4Te3s9F5g9DYy9c
T+S4B1W5A8HQ113o98xgObmCMYIH6/3uB7H0JxvQZHD6Zs2eWtCADoUDFvuet2Ji
k0qrHi27l/HzgrzPfYL9LGIeWnie6OajyenJTNt5fP3oY/aTxPMGpLQ5u+/zmD3Q
azIAcDB+Rxgzv0l36hhY8bb1stO8Ca84G6WGJuG6Cy1gIFJuLZsYCFKCIG1h4hqe
QE9cGZU23wLNbJYoOxFafZkwmHnqs0Q0uumgKoqZyozGeG/Csq37z68XhX87KTcJ
aZuQO/aYMTAEr/HUjtuNDQv2J2nk/1bvHES/9SV4N8cVGMYQ3IHEUCOomEeRixsU
K3rYQB67aHsahBX23zK7WNNyB1gvwgPBK+oFtPPmFxO/Be6Dmb0wSqxgQtzyWqP0
vOUakmlXxC5xPrt3G4YubPVAvYTWUfBkPdQ0w3UprlKAW+xvvi4idMw3S6WO9rjG
KUR6gE/KIq24ef6fq/GG7Md7dZrPjg/B8BDGz2m7rwmtbXe68nKszA37LUd3Pstf
nUWP9SHNNlV5A13c0bN9DSIApEGG4c7/EFWNwmi2jpmL3amyBISwX/UwpDrFxBa7
jQb+0fU=
=f07Y
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.3.0/debian/changelog lxterminal-0.3.0/debian/changelog
--- lxterminal-0.3.0/debian/changelog   2016-12-21 05:44:54.000000000 +0800
+++ lxterminal-0.3.0/debian/changelog   2017-05-09 12:13:07.000000000 +0800
@@ -1,3 +1,11 @@
+lxterminal (0.3.0-2) unstable; urgency=high
+
+  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
+    (Closes: #862098)
+  * Fix tab renaming dialog. (Closes: #862096)
+
+ -- Yao Wei (魏銘廷) <[email protected]>  Tue, 09 May 2017 12:13:07 +0800
+
 lxterminal (0.3.0-1) unstable; urgency=medium
 
   * Enabling parallel build (pass --parallel to dh).
diff -Nru lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff 
lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff      1970-01-01 
08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff      2017-05-09 
12:13:07.000000000 +0800
@@ -0,0 +1,21 @@
+From: Yao Wei (魏銘廷) <[email protected]>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..df5b737 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,7 @@ gboolean lxterminal_socket_initialize(LXTermWindow * 
lxtermwin, gint argc, gchar
+      * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff 
lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff
--- lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff 1970-01-01 
08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff 2017-05-09 
12:13:07.000000000 +0800
@@ -0,0 +1,22 @@
+From: Yao Wei (魏銘廷) <[email protected]>
+Subject: fix: tab name renaming
+
+* fix: display dialog buttons for changing tab name
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=e2ad448556ee0f78ebdd0e36dc16e96702326fb6
+Bug: https://github.com/lxde/lxterminal/issues/30
+Bug-Debian: http://bugs.debian.org/862096
+
+--- a/src/lxterminal.c
++++ b/src/lxterminal.c
+@@ -573,8 +573,8 @@
+         _("Name Tab"),
+         GTK_WINDOW(terminal->window),
+         0,
+-        NULL, GTK_RESPONSE_CANCEL,
+-        NULL, GTK_RESPONSE_OK,
++        _("_Cancel"), GTK_RESPONSE_CANCEL,
++        _("_OK"), GTK_RESPONSE_OK,
+         NULL);
+     gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+     if (gtk_icon_theme_has_icon(gtk_icon_theme_get_default(), "lxterminal"))
diff -Nru lxterminal-0.3.0/debian/patches/series 
lxterminal-0.3.0/debian/patches/series
--- lxterminal-0.3.0/debian/patches/series      1970-01-01 08:00:00.000000000 
+0800
+++ lxterminal-0.3.0/debian/patches/series      2017-05-09 12:13:07.000000000 
+0800
@@ -0,0 +1,2 @@
+01-cve-2016-10369.diff
+02-fix-tab-name-dialog.diff

Bug#862150: unblock: lxterminal/0.3.0-1

Reply via email to