GNU bug report logs - #26857
[PATCH] gnu: lxterminal: Fix CVE-2016-10369.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26857 in the body.
You can then email your comments to 26857 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: lxterminal: Fix CVE-2016-10369.
Date: Tue,  9 May 2017 13:03:13 -0400

* gnu/packages/patches/lxterminal-CVE-2016-10369.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/lxde.scm (lxterminal)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/lxde.scm                              |  1 +
 .../patches/lxterminal-CVE-2016-10369.patch        | 37 ++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 gnu/packages/patches/lxterminal-CVE-2016-10369.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index af37e6764..0d8daf766 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -790,6 +790,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/luminance-hdr-qt-printer.patch		\
   %D%/packages/patches/lvm2-static-link.patch			\
   %D%/packages/patches/lxsession-use-gapplication.patch         \
+  %D%/packages/patches/lxterminal-CVE-2016-10369.patch		\
   %D%/packages/patches/lz4-fix-test-failures.patch		\
   %D%/packages/patches/make-impure-dirs.patch			\
   %D%/packages/patches/mars-install.patch			\
diff --git a/gnu/packages/lxde.scm b/gnu/packages/lxde.scm
index 1164ba8cb..cc1156ae6 100644
--- a/gnu/packages/lxde.scm
+++ b/gnu/packages/lxde.scm
@@ -162,6 +162,7 @@ toolkit.  It allows users to monitor and control of running processes.")
               (uri (string-append "mirror://sourceforge/lxde/LXTerminal"
                                   "%20%28terminal%20emulator%29/LXTerminal%20"
                                   version "/" name "-" version ".tar.xz"))
+              (patches (search-patches "lxterminal-CVE-2016-10369.patch"))
               (sha256
                (base32
                 "1yf76s15zvfw0h42b0ay1slpq47khgjmcry8ki2z812zar9lchia"))))
diff --git a/gnu/packages/patches/lxterminal-CVE-2016-10369.patch b/gnu/packages/patches/lxterminal-CVE-2016-10369.patch
new file mode 100644
index 000000000..809eef08d
--- /dev/null
+++ b/gnu/packages/patches/lxterminal-CVE-2016-10369.patch
@@ -0,0 +1,37 @@
+Fix CVE-2016-10369:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10369
+
+Patch copied from upstream source repository:
+
+https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
+
+From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001
+From: Yao Wei <mwei <at> lxde.org>
+Date: Mon, 8 May 2017 00:47:55 +0800
+Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory
+
+This bug is pointed out by stackexchange user that putting socket file in
+/tmp is a potential risk. Putting the socket dir in user directory could
+mitigate the risk.
+---
+ src/unixsocket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..f88284c 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
++    printf("%s\n", socket_path);
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
+-- 
+2.1.4
+
-- 
2.12.2

Message #8 received at 26857 <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26857 <at> debbugs.gnu.org
Subject: Re: bug#26857: [PATCH] gnu: lxterminal: Fix CVE-2016-10369.
Date: Tue, 09 May 2017 19:31:41 -0400

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/lxterminal-CVE-2016-10369.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/lxde.scm (lxterminal)[source]: Use it.
> ---
>  gnu/local.mk                                       |  1 +
>  gnu/packages/lxde.scm                              |  1 +
>  .../patches/lxterminal-CVE-2016-10369.patch        | 37 ++++++++++++++++++++++
>  3 files changed, 39 insertions(+)

LGTM.

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 26857-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kei Kebreau <kei <at> openmailbox.org>
Cc: 26857-done <at> debbugs.gnu.org
Subject: Re: bug#26857: [PATCH] gnu: lxterminal: Fix CVE-2016-10369.
Date: Tue, 9 May 2017 19:36:34 -0400

[Message part 1 (text/plain, inline)]

On Tue, May 09, 2017 at 07:31:41PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > * gnu/packages/patches/lxterminal-CVE-2016-10369.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/lxde.scm (lxterminal)[source]: Use it.
> > ---
> >  gnu/local.mk                                       |  1 +
> >  gnu/packages/lxde.scm                              |  1 +
> >  .../patches/lxterminal-CVE-2016-10369.patch        | 37 ++++++++++++++++++++++
> >  3 files changed, 39 insertions(+)
> 
> LGTM.

Thanks, pushed as 8775fc10c61f493c9363ca288402f5f764b6d949.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.