Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#54082 - [menu-cache] Include fix for CVE-2017-8933
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 May 2017, 09:56 GMT
Last edited by Balló György (City-busz) - Sunday, 18 June 2017, 09:15 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 May 2017, 09:56 GMT
Last edited by Balló György (City-busz) - Sunday, 18 June 2017, 09:15 GMT
|
DetailsDescription:
Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability). (copy-pasted from the CVE description) Unfortunately, the LXDE project has not yet bothered to release a new version, though the following git commit seems to fix the CVE: https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commit;h=56f66684592abf257c4004e6e1fff041c64a12ce It would probably be easiest to just use upstream's git master until they push out a new release. |
This task depends upon
Closed by Balló György (City-busz)
Sunday, 18 June 2017, 09:15 GMT
Reason for closing: Fixed
Additional comments about closing: menu-cache 1.0.2-2
Sunday, 18 June 2017, 09:15 GMT
Reason for closing: Fixed
Additional comments about closing: menu-cache 1.0.2-2
Comment by Jelle van der Waa (jelly) -
Tuesday, 16 May 2017, 10:07 GMT
It's a single patch, using something as unstable as master shouldn't be encouraged.