[CVE] socket can be blocked by another user

Bug #1690416 reported by Simon Quigley on 2017-05-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxterminal (Ubuntu)
Status tracked in Artful
Zesty
Undecided
Simon Quigley
Artful
Undecided
Unassigned

Bug Description

unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE References

Simon Quigley (tsimonq2) on 2017-05-12
Changed in lxterminal (Ubuntu):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
information type: Private Security → Public Security
Simon Quigley (tsimonq2) wrote :

In order to fix this, we can just sync 0.3.0-2 from Sid to Zesty. Here is the changelog for 0.3.0-2:

lxterminal (0.3.0-2) unstable; urgency=high

  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
    (Closes: #862098)
  * Fix tab renaming dialog. (Closes: #862096)

 -- Yao Wei (魏銘廷) <email address hidden> Tue, 09 May 2017 12:13:07 +0800

The first entry is fixing the CVE that this bug is about, and the second entry is fixing a bug that we would have to upload anyways "unable to rename tabs" and that's perfectly valid for an SRU, in my opinion.

Security team, I think there's a few options here:
 1. Make an Ubuntu delta with only this CVE in Zesty, upload it to zesty-security, and file a separate SRU bug to get the additional patch from Debian in there. I think, technically speaking, this follows the most rules.
 2. Just sync from Debian Sid as shown above, and skip the SRU docs for the additional part of the upload. This would be the easiest, and it would be simpler.

Thoughts?

Changed in lxterminal (Ubuntu Artful):
status: In Progress → Fix Released
assignee: Simon Quigley (tsimonq2) → nobody
Changed in lxterminal (Ubuntu Zesty):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Tyler Hicks (tyhicks) wrote :

Hi Simon - Thanks for the bug report. The tab renaming bug fix is more appropriate for the SRU process. Could you attach a debdiff for zesty-security that only addresses CVE-2016-10369? Thanks!

Changed in lxterminal (Ubuntu Zesty):
status: In Progress → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxterminal - 0.3.0-1ubuntu0.1

---------------
lxterminal (0.3.0-1ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/01-cve-2016-10369.diff: use per-user runtime
      directory for socket
    - CVE-2016-10369

 -- Steve Beattie <email address hidden> Fri, 19 May 2017 11:21:56 -0700

Changed in lxterminal (Ubuntu Zesty):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers