oss-sec mailing list archives

Re: CVE-2017-8934 pcmanfm: single instance socket may be blocked by another user

From: Guido Berhoerster <guido+openwall.com () berhoerster name>
Date: Mon, 15 May 2017 18:56:57 +0200

* Yao Wei <mwei () lxde org> [2017-05-15 17:37]:

The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another user then said another user will either be unable to use
pcmanfm, or may send requests to the first user's pcmanfm.

This bug has been assigned to CVE-2017-8934 [1].  A fix has been
committed to pcmanfm's git repository [2].  LXDE developers are
working on a release which fixes the problem.

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8934
[2]: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08


The "fix" is ifdef'd for glib >= 2.28.0, so the vulnerability
still exists when compiling against an older version of glib.
-- 
Guido Berhoerster

Current thread:

CVE-2017-8934 pcmanfm: single instance socket may be blocked by another user Yao Wei (May 15)
- Re: CVE-2017-8934 pcmanfm: single instance socket may be blocked by another user Guido Berhoerster (May 15)