Bug#862170: wheezy-pu: package lxterminal/0.1.11-4

Tue, 09 May 2017 04:09:51 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I'd like to upload a fix for CVE-2016-10369 to wheezy.

Attached is a rejected debdiff purposed for debian security team.

CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRopoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxRyqA//Z+2stjHuk/aGxRZD64xJXodH1cBXMD0zvwPj
ULeS21sE5i2Tg05KksBIm3ksFNaONhr6GvCoq88EiIPWxri/jEJDaPsbK842WlS9
DsCh7jdWpoyoto0MbpvNz7OrPrsUQI3d9kXqhQ9V/lRn582kVPgMxHf/Y5T25kvY
vGYEw8cXT2S/ZnMKrWYGnICdI0sfjK+O7NGpMAPfmgj0stYLN/5I5C8eT/P7LLY+
uPJrBuf/fowC88RwRpm6+wE2g1sL7gHMJ0N5cS68FABCuPztjzYqGUvT+oLp2rZ/
n0oIWiIC0fvllVS92D/jnxOhBxTNE7T6Iug858ZQkVe4Y2Y1GwrkEsRt/YcubHfV
f+yj0csLfu8xSFzyWlT05AJUcVgNGuXx7OLTCmoCGQOUPU+Awu9sYvvO/47ZRkfn
CJvbq06aym8Ca6M5gGuHLZHLmEYtl+a4crBu2OQQa6W/qiIgbeXouLw5bKaAnxHZ
DPdlUHdR0mygpgRo1skYKKBiwftVZuEUJ7mDRUJLi1IzeN2QukEUsGlxOZlfWXma
KAbOJcHyZkWl0mkXKQqhJc8UdOZIAgRov8LU3fizQE13+aWV7aPqtC430vLmrDPd
Tmzo+91oZm/UOn26fTo1OMs63kOX3laWOuQ+qssRkckOWpuWDeibEtibleAxE2AT
ZvF/1ow=
=V8rr
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.1.11/debian/changelog lxterminal-0.1.11/debian/changelog
--- lxterminal-0.1.11/debian/changelog  2012-05-19 01:30:00.000000000 +0800
+++ lxterminal-0.1.11/debian/changelog  2017-05-09 10:38:42.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.1.11-4+deb7u1) wheezy-security; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+    (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <[email protected]>  Tue, 09 May 2017 10:38:42 +0800
+
 lxterminal (0.1.11-4) unstable; urgency=low
 
   * Moving package to priority optional.
diff -Nru lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff 
lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff
--- lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff     1970-01-01 
08:00:00.000000000 +0800
+++ lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff     2017-05-09 
10:38:42.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <[email protected]>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -116,7 +116,7 @@
+      * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_get_display(), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.1.11/debian/patches/series 
lxterminal-0.1.11/debian/patches/series
--- lxterminal-0.1.11/debian/patches/series     2012-04-28 18:05:35.000000000 
+0800
+++ lxterminal-0.1.11/debian/patches/series     2017-05-09 10:38:42.000000000 
+0800
@@ -1 +1,2 @@
 01-fix-mnemonics.patch
+02-cve-2016-10369.diff

Reply via email to