Ubuntu
pcmanfm package

Fix potential access violation, use runtime user dir instead of tmp dir

Bug #1708542 reported by Simon Quigley
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pcmanfm (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Simon Quigley
Xenial
Fix Released
Undecided
Simon Quigley
Zesty
Fix Released
Undecided
Simon Quigley

Bug Description

PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user
to cause a denial of service (application unavailability). This is tracked in CVE-2017-8934, and should be fixed.

CVE References

Simon Quigley (tsimonq2)
information type: Public → Public Security
summary: - Fix potential access violation, use runtime user dir instead of tmp
- dir.
+ Fix potential access violation, use runtime user dir instead of tmp dir
Changed in pcmanfm (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in pcmanfm (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in pcmanfm (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in pcmanfm (Ubuntu Trusty):
status: New → In Progress
Changed in pcmanfm (Ubuntu Xenial):
status: New → In Progress
Changed in pcmanfm (Ubuntu Zesty):
status: New → In Progress
Changed in pcmanfm (Ubuntu):
status: New → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Trusty applicable to 1.2.0-1.

I have tested this fix with a fresh Lubuntu Trusty install and it works completely fine.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Xenial applicable to 1.2.4-1.

I have tested this fix with a fresh Lubuntu Xenial install and it works completely fine.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Zesty applicable to 1.2.5-2.

I have tested this fix with a fresh Lubuntu Zesty install and it works completely fine.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks, Simon! These updates all look good to me. I've sponsored them into ppa:ubuntu-security-proposed/ppa and will release them on Monday morning.

Changed in pcmanfm (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in pcmanfm (Ubuntu Xenial):
status: In Progress → Confirmed
Changed in pcmanfm (Ubuntu Zesty):
status: In Progress → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pcmanfm - 1.2.4-1ubuntu0.1

---------------
pcmanfm (1.2.4-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Fix potential access violation, use runtime user dir
    instead of tmp dir (LP: #1708542)
    - fix-CVE-2017-8934.patch
    - CVE-2017-8934

 -- Simon Quigley <email address hidden> Thu, 03 Aug 2017 17:15:27 -0500

Changed in pcmanfm (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pcmanfm - 1.2.5-2ubuntu0.1

---------------
pcmanfm (1.2.5-2ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Fix potential access violation, use runtime user dir
    instead of tmp dir (LP: #1708542)
    - fix-CVE-2017-8934.patch
    - CVE-2017-8934

 -- Simon Quigley <email address hidden> Thu, 03 Aug 2017 17:24:30 -0500

Changed in pcmanfm (Ubuntu Zesty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pcmanfm - 1.2.0-1ubuntu0.1

---------------
pcmanfm (1.2.0-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix potential access violation, use runtime user dir
    instead of tmp dir (LP: #1708542)
    - fix-CVE-2017-8934.patch
    - CVE-2017-8934

 -- Simon Quigley <email address hidden> Thu, 03 Aug 2017 16:55:35 -0500

Changed in pcmanfm (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.