Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#54081 - [lxterminal] Include fix for CVE-2016-10369
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 May 2017, 09:50 GMT
Last edited by Balló György (City-busz) - Sunday, 18 June 2017, 09:28 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 May 2017, 09:50 GMT
Last edited by Balló György (City-busz) - Sunday, 18 June 2017, 09:28 GMT
|
DetailsDescription:
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control). (copy-pasted from the CVE description) Unfortunately, the LXDE project has not yet bothered to release a new version, though the following git commit seems to fix the CVE: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Would probably be easiest to just use upstream's git master until they push out a new release. |
This task depends upon
Closed by Balló György (City-busz)
Sunday, 18 June 2017, 09:28 GMT
Reason for closing: Fixed
Additional comments about closing: lxterminal 0.3.0-2 and lxterminal-gtk3 0.3.0-2
Sunday, 18 June 2017, 09:28 GMT
Reason for closing: Fixed
Additional comments about closing: lxterminal 0.3.0-2 and lxterminal-gtk3 0.3.0-2