Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 May 2017 23:34:50 +0800
From: Yao Wei <mwei@...e.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-8934 pcmanfm: single instance socket may be blocked by
 another user

The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another user then said another user will either be unable to use
pcmanfm, or may send requests to the first user's pcmanfm.

This bug has been assigned to CVE-2017-8934 [1].  A fix has been
committed to pcmanfm's git repository [2].  LXDE developers are
working on a release which fixes the problem.

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8934
[2]: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ