[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#862150: marked as done (unblock: lxterminal/0.3.0-2)

Your message dated Tue, 09 May 2017 21:28:58 +0000
with message-id <E1d8Cgk-00032N-Nd@respighi.debian.org>
and subject line unblock lxterminal
has caused the Debian Bug report #862150,
regarding unblock: lxterminal/0.3.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862150
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package lxterminal

This will introduce 2 bugfixes, one of which is security fix:
* #862098 (grave) - lxterminal: CVE-2016-10369: socket can be blocked by
  another user
* #862096 (important) - lxterminal: unable to rename tabs

unblock lxterminal/0.3.0-1

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkRVZoOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxTbFw//UzTl3nO9xRl/K4fNDFAim1jj0MNXMRLn8mh0
qxJmeXHJgSjUVStrEaBaMFXivragOR3EcM6NYXaxOpwnugkWi4Te3s9F5g9DYy9c
T+S4B1W5A8HQ113o98xgObmCMYIH6/3uB7H0JxvQZHD6Zs2eWtCADoUDFvuet2Ji
k0qrHi27l/HzgrzPfYL9LGIeWnie6OajyenJTNt5fP3oY/aTxPMGpLQ5u+/zmD3Q
azIAcDB+Rxgzv0l36hhY8bb1stO8Ca84G6WGJuG6Cy1gIFJuLZsYCFKCIG1h4hqe
QE9cGZU23wLNbJYoOxFafZkwmHnqs0Q0uumgKoqZyozGeG/Csq37z68XhX87KTcJ
aZuQO/aYMTAEr/HUjtuNDQv2J2nk/1bvHES/9SV4N8cVGMYQ3IHEUCOomEeRixsU
K3rYQB67aHsahBX23zK7WNNyB1gvwgPBK+oFtPPmFxO/Be6Dmb0wSqxgQtzyWqP0
vOUakmlXxC5xPrt3G4YubPVAvYTWUfBkPdQ0w3UprlKAW+xvvi4idMw3S6WO9rjG
KUR6gE/KIq24ef6fq/GG7Md7dZrPjg/B8BDGz2m7rwmtbXe68nKszA37LUd3Pstf
nUWP9SHNNlV5A13c0bN9DSIApEGG4c7/EFWNwmi2jpmL3amyBISwX/UwpDrFxBa7
jQb+0fU=
=f07Y
-----END PGP SIGNATURE-----

diff -Nru lxterminal-0.3.0/debian/changelog lxterminal-0.3.0/debian/changelog
--- lxterminal-0.3.0/debian/changelog	2016-12-21 05:44:54.000000000 +0800
+++ lxterminal-0.3.0/debian/changelog	2017-05-09 12:13:07.000000000 +0800
@@ -1,3 +1,11 @@
+lxterminal (0.3.0-2) unstable; urgency=high
+
+  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
+    (Closes: #862098)
+  * Fix tab renaming dialog. (Closes: #862096)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org>  Tue, 09 May 2017 12:13:07 +0800
+
 lxterminal (0.3.0-1) unstable; urgency=medium
 
   * Enabling parallel build (pass --parallel to dh).
diff -Nru lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/01-cve-2016-10369.diff	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,21 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..df5b737 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,7 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff
--- lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/02-fix-tab-name-dialog.diff	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,22 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: tab name renaming
+
+* fix: display dialog buttons for changing tab name
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=e2ad448556ee0f78ebdd0e36dc16e96702326fb6
+Bug: https://github.com/lxde/lxterminal/issues/30
+Bug-Debian: http://bugs.debian.org/862096
+
+--- a/src/lxterminal.c
++++ b/src/lxterminal.c
+@@ -573,8 +573,8 @@
+         _("Name Tab"),
+         GTK_WINDOW(terminal->window),
+         0,
+-        NULL, GTK_RESPONSE_CANCEL,
+-        NULL, GTK_RESPONSE_OK,
++        _("_Cancel"), GTK_RESPONSE_CANCEL,
++        _("_OK"), GTK_RESPONSE_OK,
+         NULL);
+     gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+     if (gtk_icon_theme_has_icon(gtk_icon_theme_get_default(), "lxterminal"))
diff -Nru lxterminal-0.3.0/debian/patches/series lxterminal-0.3.0/debian/patches/series
--- lxterminal-0.3.0/debian/patches/series	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.3.0/debian/patches/series	2017-05-09 12:13:07.000000000 +0800
@@ -0,0 +1,2 @@
+01-cve-2016-10369.diff
+02-fix-tab-name-dialog.diff

--- End Message ---
--- Begin Message --- 
Unblocked lxterminal.

--- End Message ---
Reply to: