Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Control: tag -1 pending Cyril Brulebois(2017-06-30): > Yao Wei (2017-06-28): > > On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote: > > > You're fixing this through jessie-pu (short for jessie-proposed-updates), > > > rather than via security; so please use “jessie” as the target codename. > > > > Sorry that the patch was meant to jessie-security target. Attached is > > the corrected one. > > Looks good to me. As I mentioned in my first mail: this can be uploaded > to jessie, but thanks for double checking before the upload. :) Now flagged for acceptance, thanks. KiBi. signature.asc Description: Digital signature
Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Hi, Yao Wei(2017-06-28): > On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote: > > You're fixing this through jessie-pu (short for jessie-proposed-updates), > > rather than via security; so please use “jessie” as the target codename. > > Sorry that the patch was meant to jessie-security target. Attached is > the corrected one. Looks good to me. As I mentioned in my first mail: this can be uploaded to jessie, but thanks for double checking before the upload. :) KiBi. signature.asc Description: Digital signature
Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Hi, On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote: > You're fixing this through jessie-pu (short for jessie-proposed-updates), > rather than via security; so please use “jessie” as the target codename. Sorry that the patch was meant to jessie-security target. Attached is the corrected one. Yao Wei diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog --- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.0 +0800 +++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.0 +0800 @@ -1,3 +1,10 @@ +lxterminal (0.2.0-1+deb8u1) jessie; urgency=high + + * Fix improper use of /tmp for a socket file (CVE-2016-10369) +(Closes: #862098) + + -- Yao Wei (魏銘廷)Tue, 09 May 2017 11:37:21 +0800 + lxterminal (0.2.0-1) unstable; urgency=low * Adding --disable-silent-rules to fix buildlog checker warning. diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff --- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 1970-01-01 08:00:00.0 +0800 +++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 2017-05-09 11:37:21.0 +0800 @@ -0,0 +1,19 @@ +From: Yao Wei (魏銘廷) +Subject: fix: CVE-2016-10369: socket can be blocked by another user + +* fix: use g_get_user_runtime_dir for socket directory + +Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 +Bug-Debian: http://bugs.debian.org/862098 + +--- a/src/unixsocket.c b/src/unixsocket.c +@@ -120,7 +120,7 @@ + * This function returns TRUE if this process should keep running and FALSE if it should exit. */ + + /* Formulate the path for the Unix domain socket. */ +-gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name()); ++gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default())); + + /* Create socket. */ + int fd = socket(PF_UNIX, SOCK_STREAM, 0); diff -Nru lxterminal-0.2.0/debian/patches/series lxterminal-0.2.0/debian/patches/series --- lxterminal-0.2.0/debian/patches/series 2014-10-22 05:56:19.0 +0800 +++ lxterminal-0.2.0/debian/patches/series 2017-05-09 11:37:21.0 +0800 @@ -0,0 +1 @@ +01-cve-2016-10369.diff signature.asc Description: PGP signature
Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Control: tag -1 confirmed Hi, Yao Wei(2017-05-09): > I'd like to upload a fix for CVE-2016-10369 to jessie. This looks good but: > diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog > --- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.0 +0800 > +++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.0 +0800 > @@ -1,3 +1,10 @@ > +lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high ^^^ You're fixing this through jessie-pu (short for jessie-proposed-updates), rather than via security; so please use “jessie” as the target codename. Feel free to open once you've fixed this. KiBi. signature.asc Description: Digital signature
Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'd like to upload a fix for CVE-2016-10369 to jessie. CVE-2016-10369: unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control). - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRn5kOHG13ZWlAbHhk ZS5vcmcACgkQz7v84LdPGxT8TQ//a7wIYT1/SdKVzKVvY+pdMjXCKV1UdlAucAqm Tqo7VatIHhxj/0yv5DmtGG+bshAuqbmtmMRnITOt3FB5k3+Y+mT+ouGpDsTZFbgF SIj/Z/XWDhsybgpS6AGjG2ERZtuDNH5LjcmyDTR0ZmkhC7RtDujdlSJUWx7PBnt1 O7zl1N6RCesitENpYgRMfmc7Gd+AjuP3hwOpOdTOt++WLIhoyHGXoR6EzIzQTYTM p6aUSDwQcOOqtlPZHUuBi4qQukMmD5xyZ/6/hfdYGdKyqWkTM7Dl+UXcRhYZQmAc BfxDO3GoV495AZkBmGafn67z2ryrtHICRynVVF3B5PRlL5Hx5uh/6ifB0iRmzHwd djtfYvW5zwLsDCNIspnV3rw5ONTq6TSJYWy/bcsLL4fjuNCYsQsW6/xj5BnLP6qh cIe0IBe+YPtD66pM9AO9zexakKvGR9L4WouzOxYcofN+YnKEUtUldMdVu0rorROj qsTPrUlUc5eJMlWE6z4jL/9MZTevwCPHfuyKSN606DqaAI0uZn9Uh5AFzREmcU3/ b7RYcgDDqJqWpepu9FyE6lYnUsRA44L1GJek/fL0Cn+OGN8FMGTHfHT1pSNolWFs ZbG6uSbTnBWj1LOJg7tHzau/u6BiPkpcmCLclfWZTa1+HAF/oRcJKJcqDTrisXb2 ieiUO4Q= =ZPa6 -END PGP SIGNATURE- diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog --- lxterminal-0.2.0/debian/changelog 2014-10-22 06:18:50.0 +0800 +++ lxterminal-0.2.0/debian/changelog 2017-05-09 11:37:21.0 +0800 @@ -1,3 +1,10 @@ +lxterminal (0.2.0-1+deb8u1) jessie-security; urgency=high + + * Fix improper use of /tmp for a socket file (CVE-2016-10369) +(Closes: #862098) + + -- Yao Wei (魏銘廷)Tue, 09 May 2017 11:37:21 +0800 + lxterminal (0.2.0-1) unstable; urgency=low * Adding --disable-silent-rules to fix buildlog checker warning. diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff --- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 1970-01-01 08:00:00.0 +0800 +++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff 2017-05-09 11:37:21.0 +0800 @@ -0,0 +1,19 @@ +From: Yao Wei (魏銘廷) +Subject: fix: CVE-2016-10369: socket can be blocked by another user + +* fix: use g_get_user_runtime_dir for socket directory + +Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 +Bug-Debian: http://bugs.debian.org/862098 + +--- a/src/unixsocket.c b/src/unixsocket.c +@@ -120,7 +120,7 @@ + * This function returns TRUE if this process should keep running and FALSE if it should exit. */ + + /* Formulate the path for the Unix domain socket. */ +-gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name()); ++gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default())); + + /* Create socket. */ + int fd = socket(PF_UNIX, SOCK_STREAM, 0); diff -Nru lxterminal-0.2.0/debian/patches/series lxterminal-0.2.0/debian/patches/series --- lxterminal-0.2.0/debian/patches/series 2014-10-22 05:56:19.0 +0800 +++ lxterminal-0.2.0/debian/patches/series 2017-05-09 11:37:21.0 +0800 @@ -0,0 +1 @@ +01-cve-2016-10369.diff