Your message dated Tue, 09 May 2017 06:34:08 +0000
with message-id <[email protected]>
and subject line Bug#862098: fixed in lxterminal 0.3.0-2
has caused the Debian Bug report #862098,
regarding lxterminal: CVE-2016-10369: socket can be blocked by another user
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862098: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862098
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lxterminal
Version: 0.3.0-1
Severity: grave
Tags: upstream patch security
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This vulnerability is discussed in a Stackexchange website:
https://unix.stackexchange.com/questions/333539/lxterminal-in-the-netstat-output/333578
The socket placed in /tmp is predictable and public-writable, Therefore
if Alice placed a file or lxterminal socket in
/tmp/.lxterminal-socket:0-bob, bob is unable to open lxterminal, or open
a lxterminal instance for Alice.
This bug is fixed in the commit:
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
- -- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lxterminal depends on:
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-10
ii libcairo2 1.14.8-1
ii libfontconfig1 2.11.0-6.7+b1
ii libfreetype6 2.6.3-3.2
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libglib2.0-0 2.50.3-2
ii libgtk2.0-0 2.24.31-2
ii libpango-1.0-0 1.40.5-1
ii libpangocairo-1.0-0 1.40.5-1
ii libpangoft2-1.0-0 1.40.5-1
ii libvte9 1:0.28.2-5+b2
ii libx11-6 2:1.6.4-3
ii libxext6 2:1.3.3-1+b2
lxterminal recommends no packages.
lxterminal suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkQbdkOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxSZuA/+NEEhU73k2esU8FveOzTc0ei0b5NLC2y5zvY/
/To8BTaUJAQE3J1icvgV3JRPJI8YOin5Ombz1n+4URt+f17G00mWplyGQgFiXcKP
oooPl93If2rfi3POFM3MoC6grRc5UdwpUcTimwaX4OEE/PUZNHnfoNI2pWPk0Z34
AcGVqbJzxagpqzwvzsjjHC2EOncSeTfm2nZzUIwWfXV+LdGgq2Sf2oyaAYH/QnuV
bvGAGgCZCNFejn9m3VHA7SIEU8AV+/FaJ/8sT5WJIyWWBoEBkcig50Ya5UG71zVq
VTixWAbnCLhfQ44xKsFvGD+h6LH4c6qgQxnxk16yQrUOAZsIFHDuc9xIMBJtGLJt
G3hZFY7x0sry4GVgHdqDvxI51UgWuZuUJNTTtXOuu0Yno0gcwY8TCC3QBtIk+4kQ
61tTbNoho7wTjn8reY+SgcUXeLdUAbKXdcv3IOp25LmiPLHV5dGfnRXH8Gw/ZQCz
B9Tli0Ge3yNXaC0MJzgyaopNPdqzBNII5IWwfjknVy6K6uQCiHx9UCbOfxDre9sp
DbgENkagS5P8+lNVOtGHr55n/2bg+kKLOztOKBBp0vqdwaKnKAuE0BZfOx78msgs
P+vGhzOARu/y2V/n4AAPPiE9SlRZIQg+oX1+5syzXiRD2dLOUbXqRLmVZwaqLsKG
0oN43Nk=
=fmHh
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: lxterminal
Source-Version: 0.3.0-2
We believe that the bug you reported is fixed in the latest version of
lxterminal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yao Wei (魏銘廷) <[email protected]> (supplier of updated lxterminal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 May 2017 12:13:07 +0800
Source: lxterminal
Binary: lxterminal lxterminal-dbg
Architecture: source
Version: 0.3.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian LXDE Maintainers
<[email protected]>
Changed-By: Yao Wei (魏銘廷) <[email protected]>
Description:
lxterminal - LXDE terminal emulator
lxterminal-dbg - LXDE terminal emulator (debug)
Closes: 862096 862098
Changes:
lxterminal (0.3.0-2) unstable; urgency=high
.
* Fix improper use of /tmp for a socket file. (CVE-2016-10369)
(Closes: #862098)
* Fix tab renaming dialog. (Closes: #862096)
Checksums-Sha1:
31a95d70463145b8aad662f4ce2dfea74743c901 2124 lxterminal_0.3.0-2.dsc
a24fd7df8742321d1a5ad828ccb397333e8e406f 7320 lxterminal_0.3.0-2.debian.tar.xz
b1cada92dcd40aec33d39efb0553ad101b1cd836 11218
lxterminal_0.3.0-2_source.buildinfo
Checksums-Sha256:
95e04d2732b39d0f6ddbac8ccb6382863661277233efc676a19a450096a4cb4b 2124
lxterminal_0.3.0-2.dsc
65a5a641b4fc432440094914a1fa6161717ba8359bce21832b1c691eb91b6fbc 7320
lxterminal_0.3.0-2.debian.tar.xz
6d5385a9aaca8916bb689a5e6676089a9f48c529a64d959ebe37549d0e786ea5 11218
lxterminal_0.3.0-2_source.buildinfo
Files:
01750a14bb60d7399d165e16b8309ba3 2124 x11 optional lxterminal_0.3.0-2.dsc
3f537d1fcb7664faaefa24ba5b8e607b 7320 x11 optional
lxterminal_0.3.0-2.debian.tar.xz
2a052ce547bc65c8e7dda5b79b2edf51 11218 x11 optional
lxterminal_0.3.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAlkRXYEACgkQGrc2MXda
TaRP6xAA6qpuQ/BE9jhP4G2GwqNxyk/P3rRGssZdLyLNTspdhaWlCJUmbrt3lVVt
XpynVMezXZyhA7ucOucjDC0kBJxa5WskIoVDnV1DlYpOFPoNZbKc33PIU85yA5EC
g4IyDE92SH3XSkHiRNB63mBasXyzSL8e+6FXH3phEAzPy2ydXnR45F8s9oE1DJK8
skmFgmYHuMpEUj/ylmaiPDBJgSRoa/DeTGJINJHtHByOCzVCO8rOGhFjYwfwJBqY
VLQeW43WwTRrVAfS2xh02+zD1glBNN3vNpunYD2ITHYNuPLPF/JNMrim9GL2/vX/
fqH4GXE7qYp/NHqZOkUnwStCuSzS+/RmpI/uTjo10kpvmd4a5R11kdx9vl2W3aBJ
vAhBf3rD9V8ONS/JOp/Vp92cKYHZRgp9Bv3wpzp8fspBISO2XLZMwW8AOEAtjkFo
kP1vC3Yxzh8V3V5X3Fjjgl8swM1s6ztE0NxOnbkY/Kik6XyuA6Ent05JlvSzE7MN
pEmoGG+bS7qfFFR9GJqIo9zVY8pu0LfYAiG4Ln38O0gXnwVJyxwD7EWbcJ2Rn0r4
38H31wtLhdK0CtW7W3ZS9emA9KbkLEkMad9KU1Hze18YxXYEJZRW/aZYILe4XoqT
utRUWxufSLmMAtu8Jy1oTvV/KNf395Vu6PeWD03VeBDqcFd4Y7g=
=YVQd
-----END PGP SIGNATURE-----
--- End Message ---
