[CVE] socket can be blocked by another user

Bug #1690416 reported by Simon Quigley on 2017-05-12
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxterminal (Ubuntu)
Status tracked in Artful
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Simon Quigley
Artful
Undecided
Unassigned

Bug Description

unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE References

Simon Quigley (tsimonq2) on 2017-05-12
Changed in lxterminal (Ubuntu):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
information type: Private Security → Public Security
Simon Quigley (tsimonq2) wrote :

In order to fix this, we can just sync 0.3.0-2 from Sid to Zesty. Here is the changelog for 0.3.0-2:

lxterminal (0.3.0-2) unstable; urgency=high

  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
    (Closes: #862098)
  * Fix tab renaming dialog. (Closes: #862096)

 -- Yao Wei (魏銘廷) <email address hidden> Tue, 09 May 2017 12:13:07 +0800

The first entry is fixing the CVE that this bug is about, and the second entry is fixing a bug that we would have to upload anyways "unable to rename tabs" and that's perfectly valid for an SRU, in my opinion.

Security team, I think there's a few options here:
 1. Make an Ubuntu delta with only this CVE in Zesty, upload it to zesty-security, and file a separate SRU bug to get the additional patch from Debian in there. I think, technically speaking, this follows the most rules.
 2. Just sync from Debian Sid as shown above, and skip the SRU docs for the additional part of the upload. This would be the easiest, and it would be simpler.

Thoughts?

Changed in lxterminal (Ubuntu Artful):
status: In Progress → Fix Released
assignee: Simon Quigley (tsimonq2) → nobody
Changed in lxterminal (Ubuntu Zesty):
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Tyler Hicks (tyhicks) wrote :

Hi Simon - Thanks for the bug report. The tab renaming bug fix is more appropriate for the SRU process. Could you attach a debdiff for zesty-security that only addresses CVE-2016-10369? Thanks!

Changed in lxterminal (Ubuntu Zesty):
status: In Progress → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxterminal - 0.3.0-1ubuntu0.1

---------------
lxterminal (0.3.0-1ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/01-cve-2016-10369.diff: use per-user runtime
      directory for socket
    - CVE-2016-10369

 -- Steve Beattie <email address hidden> Fri, 19 May 2017 11:21:56 -0700

Changed in lxterminal (Ubuntu Zesty):
status: Incomplete → Fix Released
Simon Quigley (tsimonq2) wrote :

Whoops, it seems this also affects Xenial and Trusty. I'll get a fix ASAP.

Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Xenial applicable to 0.2.0-1.

Simon Quigley (tsimonq2) wrote :

Whoops, I accidentally forgot to change the release to xenial-security, so here's an updated patch...

Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Trusty applicable to 0.1.11-4ubuntu3.

Simon Quigley (tsimonq2) wrote :

For both of my debdiffs, I had to do some backporting using the methods used in the older code and I had to substitute the old methods in for the new ones when applying the patch, if that makes sense. To be more specific, here's what upstream did on the master branch:

- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
+ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ printf("%s\n", socket_path);

But here's what the existing code looked like in both the 0.2.0 and the 0.1.11 tags:

    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());

As you can probably tell, the newer code changed compared to the old code. So I adapted the patch for the older methods used in the code, and here's what I ended up with:

- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
+ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_get_display());
+ printf("%s\n", socket_path);

After testing this out from my PPA (ppa:tsimonq2/lxterminal-bug-1690416) on both a Trusty and a Xenial system, it works just as intended (it creates the file in the correct location rather than in /tmp).

Any concerns with my logic there?

Simon Quigley (tsimonq2) on 2017-07-28
Changed in lxterminal (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in lxterminal (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in lxterminal (Ubuntu Trusty):
status: New → In Progress
Changed in lxterminal (Ubuntu Xenial):
status: New → In Progress
Tyler Hicks (tyhicks) wrote :

Hi Simon - These backports look good to me. I've uploaded them to ppa:ubuntu-security-proposed/ppa and will release them later today. Thank you and sorry about the delay in getting these sponsored.

Changed in lxterminal (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in lxterminal (Ubuntu Xenial):
status: In Progress → Confirmed
Changed in lxterminal (Ubuntu Trusty):
assignee: Simon Quigley (tsimonq2) → nobody
Changed in lxterminal (Ubuntu Xenial):
assignee: Simon Quigley (tsimonq2) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxterminal - 0.2.0-1ubuntu0.1

---------------
lxterminal (0.2.0-1ubuntu0.1) xenial-security; urgency=high

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/fix-CVE-2016-10369.patch
    - CVE-2016-10369

 -- Simon Quigley <email address hidden> Tue, 11 Jul 2017 00:48:57 -0500

Changed in lxterminal (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxterminal - 0.1.11-4ubuntu3.1

---------------
lxterminal (0.1.11-4ubuntu3.1) trusty-security; urgency=high

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/fix-CVE-2016-10369.patch
    - CVE-2016-10369

 -- Simon Quigley <email address hidden> Tue, 11 Jul 2017 01:19:58 -0500

Changed in lxterminal (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers