[CVE] Socket may be blocked by another user
Bug #1703564 reported by
Simon Quigley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
menu-cache (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Simon Quigley | ||
Xenial |
Fix Released
|
Medium
|
Simon Quigley | ||
Zesty |
Fix Released
|
Medium
|
Simon Quigley |
Bug Description
The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another use then said another user will either be unable to get menu, or
will receive menu of some other user. Upstream released a fix for this
issue:
CVE References
information type: | Public → Public Security |
Changed in menu-cache (Ubuntu): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | New → In Progress |
summary: |
- Socket may be blocked by another user + [CVE] Socket may be blocked by another user |
Changed in menu-cache (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in menu-cache (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in menu-cache (Ubuntu Zesty): | |
importance: | Undecided → Medium |
Changed in menu-cache (Ubuntu): | |
importance: | Undecided → Medium |
Changed in menu-cache (Ubuntu Trusty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in menu-cache (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in menu-cache (Ubuntu Zesty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in menu-cache (Ubuntu): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
status: | In Progress → Fix Released |
Changed in menu-cache (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in menu-cache (Ubuntu Xenial): | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
Changed in menu-cache (Ubuntu Zesty): | |
status: | New → In Progress |
To post a comment you must log in.
Attached is a debdiff for Zesty applicable to 1.0.2-1. I have tested this on a fresh Lubuntu 17.04 install and it works fine.