FS#54082 : [menu-cache] Include fix for CVE-2017-8933

FS#54082 - [menu-cache] Include fix for CVE-2017-8933

Attached to Project: Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 May 2017, 09:56 GMT
Last edited by Balló György (City-busz) - Sunday, 18 June 2017, 09:15 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Balló György (City-busz) Levente Polyak (anthraxx)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Pascal Ernster (hardfalcon) (2017-05-16)
Private	No

Details

Description:

Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability).

(copy-pasted from the CVE description)

Unfortunately, the LXDE project has not yet bothered to release a new version, though the following git commit seems to fix the CVE:
https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commit;h=56f66684592abf257c4004e6e1fff041c64a12ce

It would probably be easiest to just use upstream's git master until they push out a new release.

This task depends upon

Closed by Balló György (City-busz)
Sunday, 18 June 2017, 09:15 GMT
Reason for closing: Fixed
Additional comments about closing: menu-cache 1.0.2-2

Comment by Jelle van der Waa (jelly) - Tuesday, 16 May 2017, 10:07 GMT

It's a single patch, using something as unstable as master shouldn't be encouraged.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#54082 - [menu-cache] Include fix for CVE-2017-8933

Details

Loading...