Fix potential access violation, use runtime user dir instead of tmp dir
Bug #1708542 reported by
Simon Quigley
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pcmanfm (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Simon Quigley | ||
Xenial |
Fix Released
|
Undecided
|
Simon Quigley | ||
Zesty |
Fix Released
|
Undecided
|
Simon Quigley |
Bug Description
PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user
to cause a denial of service (application unavailability). This is tracked in CVE-2017-8934, and should be fixed.
CVE References
information type: | Public → Public Security |
summary: |
- Fix potential access violation, use runtime user dir instead of tmp - dir. + Fix potential access violation, use runtime user dir instead of tmp dir |
Changed in pcmanfm (Ubuntu Trusty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in pcmanfm (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in pcmanfm (Ubuntu Zesty): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in pcmanfm (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in pcmanfm (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in pcmanfm (Ubuntu Zesty): | |
status: | New → In Progress |
Changed in pcmanfm (Ubuntu): | |
status: | New → Fix Released |
To post a comment you must log in.
Attached is a debdiff for Trusty applicable to 1.2.0-1.
I have tested this fix with a fresh Lubuntu Trusty install and it works completely fine.