[CVE] socket can be blocked by another user
Bug #1690416 reported by
Simon Quigley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxterminal (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Simon Quigley | ||
Artful |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).
CVE References
Changed in lxterminal (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Simon Quigley (tsimonq2) |
information type: | Private Security → Public Security |
Changed in lxterminal (Ubuntu Trusty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in lxterminal (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in lxterminal (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in lxterminal (Ubuntu Xenial): | |
status: | New → In Progress |
To post a comment you must log in.
In order to fix this, we can just sync 0.3.0-2 from Sid to Zesty. Here is the changelog for 0.3.0-2:
lxterminal (0.3.0-2) unstable; urgency=high
* Fix improper use of /tmp for a socket file. (CVE-2016-10369)
(Closes: #862098)
* Fix tab renaming dialog. (Closes: #862096)
-- Yao Wei (魏銘廷) <email address hidden> Tue, 09 May 2017 12:13:07 +0800
The first entry is fixing the CVE that this bug is about, and the second entry is fixing a bug that we would have to upload anyways "unable to rename tabs" and that's perfectly valid for an SRU, in my opinion.
Security team, I think there's a few options here:
1. Make an Ubuntu delta with only this CVE in Zesty, upload it to zesty-security, and file a separate SRU bug to get the additional patch from Debian in there. I think, technically speaking, this follows the most rules.
2. Just sync from Debian Sid as shown above, and skip the SRU docs for the additional part of the upload. This would be the easiest, and it would be simpler.
Thoughts?