diff options
| author | Daniel Sabogal <dsabogalcc@gmail.com> | 2017-08-07 11:39:54 -0400 |
|---|---|---|
| committer | Sören Tempel <soeren+git@soeren-tempel.net> | 2017-08-22 23:16:37 +0200 |
| commit | 1e49fb2fed3a645ef6f77d40314c8aab20c8fa6a (patch) | |
| tree | fb56dd6b3234122e826c2b98c45c468608711f25 | |
| parent | 1c0b7832bcd99561ec460174fd75dee6941e8d1a (diff) | |
| download | aports-1e49fb2fed3a645ef6f77d40314c8aab20c8fa6a.tar.bz2 aports-1e49fb2fed3a645ef6f77d40314c8aab20c8fa6a.tar.xz | |
main/lxterminal: security fix for CVE-2016-10369
| -rw-r--r-- | main/lxterminal/APKBUILD | 12 | ||||
| -rw-r--r-- | main/lxterminal/CVE-2016-10369.patch | 26 |
2 files changed, 35 insertions, 3 deletions
diff --git a/main/lxterminal/APKBUILD b/main/lxterminal/APKBUILD index 7f227a50ba..534d0bd007 100644 --- a/main/lxterminal/APKBUILD +++ b/main/lxterminal/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=lxterminal pkgver=0.3.0 -pkgrel=0 +pkgrel=1 pkgdesc="Desktop-independent VTE-based terminal emulator" url="http://lxde.org/" arch="all" @@ -11,9 +11,14 @@ depends="" makedepends="vte-dev" install="" subpackages="$pkgname-doc $pkgname-lang" -source="https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz" +source="https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz + CVE-2016-10369.patch" builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 0.3.0-r1: +# - CVE-2016-10369 + build() { cd "$builddir" ./configure \ @@ -33,4 +38,5 @@ package() { make DESTDIR="$pkgdir" install || return 1 } -sha512sums="05eb6ef8904de9e34a4046ded67d3cece5a93a5b19d37d423f3bde67051a2f0a0e3195443669709a8b732d27246852353a2c9ba59026f9d71f8df6bb1152e37f lxterminal-0.3.0.tar.xz" +sha512sums="05eb6ef8904de9e34a4046ded67d3cece5a93a5b19d37d423f3bde67051a2f0a0e3195443669709a8b732d27246852353a2c9ba59026f9d71f8df6bb1152e37f lxterminal-0.3.0.tar.xz +e9fc3d612a8a59e4fb7cd5c339759a7450c8829caa3645e9c859e603a450a173a9215670598d696dc8830de1c78b4a62959bfdb166962cd869ae5a9ec8bab33d CVE-2016-10369.patch" diff --git a/main/lxterminal/CVE-2016-10369.patch b/main/lxterminal/CVE-2016-10369.patch new file mode 100644 index 0000000000..170ad884be --- /dev/null +++ b/main/lxterminal/CVE-2016-10369.patch @@ -0,0 +1,26 @@ +From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001 +From: Yao Wei <mwei@lxde.org> +Date: Mon, 8 May 2017 00:47:55 +0800 +Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory + +This bug is pointed out by stackexchange user that putting socket file in +/tmp is a potential risk. Putting the socket dir in user directory could +mitigate the risk. +--- + src/unixsocket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/unixsocket.c b/src/unixsocket.c +index 4c660ac..f88284c 100644 +--- a/src/unixsocket.c ++++ b/src/unixsocket.c +@@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar + * This function returns TRUE if this process should keep running and FALSE if it should exit. */ + + /* Formulate the path for the Unix domain socket. */ +- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name()); ++ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default())); ++ printf("%s\n", socket_path); + + /* Create socket. */ + int fd = socket(PF_UNIX, SOCK_STREAM, 0); |