Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Cyril Brulebois]

Control: tag -1 pending

Cyril Brulebois  (2017-06-30):
> Yao Wei  (2017-06-28):
> > On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote:
> > > You're fixing this through jessie-pu (short for jessie-proposed-updates),
> > > rather than via security; so please use “jessie” as the target codename.
> > 
> > Sorry that the patch was meant to jessie-security target.  Attached is
> > the corrected one.
> 
> Looks good to me. As I mentioned in my first mail: this can be uploaded
> to jessie, but thanks for double checking before the upload. :)

Now flagged for acceptance, thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Cyril Brulebois]

Hi,

Yao Wei  (2017-06-28):
> On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote:
> > You're fixing this through jessie-pu (short for jessie-proposed-updates),
> > rather than via security; so please use “jessie” as the target codename.
> 
> Sorry that the patch was meant to jessie-security target.  Attached is
> the corrected one.

Looks good to me. As I mentioned in my first mail: this can be uploaded
to jessie, but thanks for double checking before the upload. :)


KiBi.


signature.asc
Description: Digital signature

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Yao Wei]

Hi,

On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote:
> You're fixing this through jessie-pu (short for jessie-proposed-updates),
> rather than via security; so please use “jessie” as the target codename.

Sorry that the patch was meant to jessie-security target.  Attached is
the corrected one.

Yao Wei
diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog   2014-10-22 06:18:50.0 +0800
+++ lxterminal-0.2.0/debian/changelog   2017-05-09 11:37:21.0 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+(Closes: #862098)
+
+ -- Yao Wei (魏銘廷)   Tue, 09 May 2017 11:37:21 +0800
+
 lxterminal (0.2.0-1) unstable; urgency=low
 
   * Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 
lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  1970-01-01 
08:00:00.0 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  2017-05-09 
11:37:21.0 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) 
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
 b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+  * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+ /* Formulate the path for the Unix domain socket. */
+-gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_get_display(), g_get_user_name());
++gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series 
lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series  2014-10-22 05:56:19.0 
+0800
+++ lxterminal-0.2.0/debian/patches/series  2017-05-09 11:37:21.0 
+0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff


signature.asc
Description: PGP signature

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

Yao Wei  (2017-05-09):
> I'd like to upload a fix for CVE-2016-10369 to jessie.

This looks good but:

> diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
> --- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.0 +0800
> +++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.0 +0800
> @@ -1,3 +1,10 @@
> +lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high
   ^^^

You're fixing this through jessie-pu (short for jessie-proposed-updates),
rather than via security; so please use “jessie” as the target codename.

Feel free to open once you've fixed this.


KiBi.


signature.asc
Description: Digital signature

Bug#862169: jessie-pu: package lxterminal/0.2.0-1

[魏銘廷]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I'd like to upload a fix for CVE-2016-10369 to jessie.

CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRn5kOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxT8TQ//a7wIYT1/SdKVzKVvY+pdMjXCKV1UdlAucAqm
Tqo7VatIHhxj/0yv5DmtGG+bshAuqbmtmMRnITOt3FB5k3+Y+mT+ouGpDsTZFbgF
SIj/Z/XWDhsybgpS6AGjG2ERZtuDNH5LjcmyDTR0ZmkhC7RtDujdlSJUWx7PBnt1
O7zl1N6RCesitENpYgRMfmc7Gd+AjuP3hwOpOdTOt++WLIhoyHGXoR6EzIzQTYTM
p6aUSDwQcOOqtlPZHUuBi4qQukMmD5xyZ/6/hfdYGdKyqWkTM7Dl+UXcRhYZQmAc
BfxDO3GoV495AZkBmGafn67z2ryrtHICRynVVF3B5PRlL5Hx5uh/6ifB0iRmzHwd
djtfYvW5zwLsDCNIspnV3rw5ONTq6TSJYWy/bcsLL4fjuNCYsQsW6/xj5BnLP6qh
cIe0IBe+YPtD66pM9AO9zexakKvGR9L4WouzOxYcofN+YnKEUtUldMdVu0rorROj
qsTPrUlUc5eJMlWE6z4jL/9MZTevwCPHfuyKSN606DqaAI0uZn9Uh5AFzREmcU3/
b7RYcgDDqJqWpepu9FyE6lYnUsRA44L1GJek/fL0Cn+OGN8FMGTHfHT1pSNolWFs
ZbG6uSbTnBWj1LOJg7tHzau/u6BiPkpcmCLclfWZTa1+HAF/oRcJKJcqDTrisXb2
ieiUO4Q=
=ZPa6
-END PGP SIGNATURE-
diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog   2014-10-22 06:18:50.0 +0800
+++ lxterminal-0.2.0/debian/changelog   2017-05-09 11:37:21.0 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+(Closes: #862098)
+
+ -- Yao Wei (魏銘廷)   Tue, 09 May 2017 11:37:21 +0800
+
 lxterminal (0.2.0-1) unstable; urgency=low
 
   * Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 
lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  1970-01-01 
08:00:00.0 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff  2017-05-09 
11:37:21.0 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) 
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, 
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
 b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+  * This function returns TRUE if this process should keep running and 
FALSE if it should exit. */
+ 
+ /* Formulate the path for the Unix domain socket. */
+-gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", 
gdk_get_display(), g_get_user_name());
++gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", 
g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series 
lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series  2014-10-22 05:56:19.0 
+0800
+++ lxterminal-0.2.0/debian/patches/series  2017-05-09 11:37:21.0 
+0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff