Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 15 May 2017 18:56:57 +0200
From: Guido Berhoerster <guido+openwall.com@...hoerster.name>
To: oss-security@...ts.openwall.com
Cc: Yao Wei <mwei@...e.org>
Subject: Re: CVE-2017-8934 pcmanfm: single instance socket may
 be blocked by another user

* Yao Wei <mwei@...e.org> [2017-05-15 17:37]:
> The socket placed in /tmp is predictable and public-writable. Therefore
> if one user placed a symlink to another socket instead of socket for
> another user then said another user will either be unable to use
> pcmanfm, or may send requests to the first user's pcmanfm.
> 
> This bug has been assigned to CVE-2017-8934 [1].  A fix has been
> committed to pcmanfm's git repository [2].  LXDE developers are
> working on a release which fixes the problem.
> 
> [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8934
> [2]: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08

The "fix" is ifdef'd for glib >= 2.28.0, so the vulnerability
still exists when compiling against an older version of glib.
-- 
Guido Berhoerster

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.