Bug#862169: jessie-pu: package lxterminal/0.2.0-1

To: Cyril Brulebois <kibi@debian.org>
Cc: 862169@bugs.debian.org
Subject: Bug#862169: jessie-pu: package lxterminal/0.2.0-1
From: Yao Wei <mwei@lxde.org>
Date: Wed, 28 Jun 2017 10:07:19 +0800
Message-id: <[🔎] 20170628020719.6mdz6rm2rh4pp67r@madoka.m-wei.net>
Reply-to: Yao Wei <mwei@lxde.org>, 862169@bugs.debian.org
In-reply-to: <[🔎] 20170627205924.GA19278@mraw.org>
References: <149432719478.2312.12791033400553945798.reportbug@madoka.m-wei.net> <[🔎] 20170627205924.GA19278@mraw.org>

Hi,

On Tue, Jun 27, 2017 at 10:59:24PM +0200, Cyril Brulebois wrote:
> You're fixing this through jessie-pu (short for jessie-proposed-updates),
> rather than via security; so please use “jessie” as the target codename.

Sorry that the patch was meant to jessie-security target.  Attached is
the corrected one.

Yao Wei

diff -Nru lxterminal-0.2.0/debian/changelog lxterminal-0.2.0/debian/changelog
--- lxterminal-0.2.0/debian/changelog	2014-10-22 06:18:50.000000000 +0800
+++ lxterminal-0.2.0/debian/changelog	2017-05-09 11:37:21.000000000 +0800
@@ -1,3 +1,10 @@
+lxterminal (0.2.0-1+deb8u1) jessie; urgency=high
+
+  * Fix improper use of /tmp for a socket file (CVE-2016-10369)
+    (Closes: #862098)
+
+ -- Yao Wei (魏銘廷) <mwei@lxde.org>  Tue, 09 May 2017 11:37:21 +0800
+
 lxterminal (0.2.0-1) unstable; urgency=low
 
   * Adding --disable-silent-rules to fix buildlog checker warning.
diff -Nru lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff
--- lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff	1970-01-01 08:00:00.000000000 +0800
+++ lxterminal-0.2.0/debian/patches/01-cve-2016-10369.diff	2017-05-09 11:37:21.000000000 +0800
@@ -0,0 +1,19 @@
+From: Yao Wei (魏銘廷) <mwei@lxde.org>
+Subject: fix: CVE-2016-10369: socket can be blocked by another user
+
+* fix: use g_get_user_runtime_dir for socket directory
+
+Origin: upstream, https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+Bug-Debian: http://bugs.debian.org/862098
+
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -120,7 +120,7 @@
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
diff -Nru lxterminal-0.2.0/debian/patches/series lxterminal-0.2.0/debian/patches/series
--- lxterminal-0.2.0/debian/patches/series	2014-10-22 05:56:19.000000000 +0800
+++ lxterminal-0.2.0/debian/patches/series	2017-05-09 11:37:21.000000000 +0800
@@ -0,0 +1 @@
+01-cve-2016-10369.diff

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#862169: jessie-pu: package lxterminal/0.2.0-1
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#862169: jessie-pu: package lxterminal/0.2.0-1
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Processed: Re: Bug#862800: jessie-pu: package etherpuppet/0.3-3~deb8u1
Next by Date: Bug#863093: jessie-pu: package libwnckmm/0.1.1-1+deb8u1
Previous by thread: Processed: Re: Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Next by thread: Bug#862169: jessie-pu: package lxterminal/0.2.0-1
Index(es):
- Date
- Thread