Bug#862170: wheezy-pu: package lxterminal/0.1.11-4
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'd like to upload a fix for CVE-2016-10369 to wheezy.
Attached is a rejected debdiff purposed for debian security team.
CVE-2016-10369:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a
socket file, allowing a local user to cause a denial of service
(preventing terminal launch), or possibly have other impact (bypassing
terminal access control).
- -- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRopoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxRyqA//Z+2stjHuk/aGxRZD64xJXodH1cBXMD0zvwPj
ULeS21sE5i2Tg05KksBIm3ksFNaONhr6GvCoq88EiIPWxri/jEJDaPsbK842WlS9
DsCh7jdWpoyoto0MbpvNz7OrPrsUQI3d9kXqhQ9V/lRn582kVPgMxHf/Y5T25kvY
vGYEw8cXT2S/ZnMKrWYGnICdI0sfjK+O7NGpMAPfmgj0stYLN/5I5C8eT/P7LLY+
uPJrBuf/fowC88RwRpm6+wE2g1sL7gHMJ0N5cS68FABCuPztjzYqGUvT+oLp2rZ/
n0oIWiIC0fvllVS92D/jnxOhBxTNE7T6Iug858ZQkVe4Y2Y1GwrkEsRt/YcubHfV
f+yj0csLfu8xSFzyWlT05AJUcVgNGuXx7OLTCmoCGQOUPU+Awu9sYvvO/47ZRkfn
CJvbq06aym8Ca6M5gGuHLZHLmEYtl+a4crBu2OQQa6W/qiIgbeXouLw5bKaAnxHZ
DPdlUHdR0mygpgRo1skYKKBiwftVZuEUJ7mDRUJLi1IzeN2QukEUsGlxOZlfWXma
KAbOJcHyZkWl0mkXKQqhJc8UdOZIAgRov8LU3fizQE13+aWV7aPqtC430vLmrDPd
Tmzo+91oZm/UOn26fTo1OMs63kOX3laWOuQ+qssRkckOWpuWDeibEtibleAxE2AT
ZvF/1ow=
=V8rr
-----END PGP SIGNATURE-----
diff -Nru lxterminal-0.1.11/debian/changelog lxterminal-0.1.11/debian/changelog
--- lxterminal-0.1.11/debian/changelog 2012-05-19 01:30:00.000000000 +0800
+++ lxterminal-0.1.11/debian/changelog 2017-05-09 10:38:42.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.1.11-4+deb7u1) wheezy-security; urgency=high
+
+ * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+ (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org> Tue, 09 May 2017 10:38:42 +0800
+
lxterminal (0.1.11-4) unstable; urgency=low
* Moving package to priority optional.
diff -Nru lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff
--- lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff 1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.1.11/debian/patches/02-cve-2016-10369.diff 2017-05-09 10:38:42.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -116,7 +116,7 @@
+ * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+
+ /* Formulate the path for the Unix domain socket. */
+- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
++ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+
+ /* Create socket. */
+ int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.1.11/debian/patches/series lxterminal-0.1.11/debian/patches/series
--- lxterminal-0.1.11/debian/patches/series 2012-04-28 18:05:35.000000000 +0800
+++ lxterminal-0.1.11/debian/patches/series 2017-05-09 10:38:42.000000000 +0800
@@ -1 +1,2 @@
01-fix-mnemonics.patch
+02-cve-2016-10369.diff
Reply to: