Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 15 May 2017 18:56:57 +0200
From: Guido Berhoerster <>
Cc: Yao Wei <>
Subject: Re: CVE-2017-8934 pcmanfm: single instance socket may
 be blocked by another user

* Yao Wei <> [2017-05-15 17:37]:
> The socket placed in /tmp is predictable and public-writable. Therefore
> if one user placed a symlink to another socket instead of socket for
> another user then said another user will either be unable to use
> pcmanfm, or may send requests to the first user's pcmanfm.
> This bug has been assigned to CVE-2017-8934 [1].  A fix has been
> committed to pcmanfm's git repository [2].  LXDE developers are
> working on a release which fixes the problem.
> [1]:
> [2]:;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08

The "fix" is ifdef'd for glib >= 2.28.0, so the vulnerability
still exists when compiling against an older version of glib.
Guido Berhoerster

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ