Your message dated Tue, 04 Jul 2017 06:32:26 +0000 with message-id <e1dshnq-0009w9...@fasolo.debian.org> and subject line Bug#862098: fixed in lxterminal 0.2.0-1+deb8u1 has caused the Debian Bug report #862098, regarding lxterminal: CVE-2016-10369: socket can be blocked by another user to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862098 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lxterminal Version: 0.3.0-1 Severity: grave Tags: upstream patch security Justification: user security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This vulnerability is discussed in a Stackexchange website: https://unix.stackexchange.com/questions/333539/lxterminal-in-the-netstat-output/333578 The socket placed in /tmp is predictable and public-writable, Therefore if Alice placed a file or lxterminal socket in /tmp/.lxterminal-socket:0-bob, bob is unable to open lxterminal, or open a lxterminal instance for Alice. This bug is fixed in the commit: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lxterminal depends on: ii libatk1.0-0 2.22.0-1 ii libc6 2.24-10 ii libcairo2 1.14.8-1 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgdk-pixbuf2.0-0 2.36.5-2 ii libglib2.0-0 2.50.3-2 ii libgtk2.0-0 2.24.31-2 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libpangoft2-1.0-0 1.40.5-1 ii libvte9 1:0.28.2-5+b2 ii libx11-6 2:1.6.4-3 ii libxext6 2:1.3.3-1+b2 lxterminal recommends no packages. lxterminal suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkQbdkOHG13ZWlAbHhk ZS5vcmcACgkQz7v84LdPGxSZuA/+NEEhU73k2esU8FveOzTc0ei0b5NLC2y5zvY/ /To8BTaUJAQE3J1icvgV3JRPJI8YOin5Ombz1n+4URt+f17G00mWplyGQgFiXcKP oooPl93If2rfi3POFM3MoC6grRc5UdwpUcTimwaX4OEE/PUZNHnfoNI2pWPk0Z34 AcGVqbJzxagpqzwvzsjjHC2EOncSeTfm2nZzUIwWfXV+LdGgq2Sf2oyaAYH/QnuV bvGAGgCZCNFejn9m3VHA7SIEU8AV+/FaJ/8sT5WJIyWWBoEBkcig50Ya5UG71zVq VTixWAbnCLhfQ44xKsFvGD+h6LH4c6qgQxnxk16yQrUOAZsIFHDuc9xIMBJtGLJt G3hZFY7x0sry4GVgHdqDvxI51UgWuZuUJNTTtXOuu0Yno0gcwY8TCC3QBtIk+4kQ 61tTbNoho7wTjn8reY+SgcUXeLdUAbKXdcv3IOp25LmiPLHV5dGfnRXH8Gw/ZQCz B9Tli0Ge3yNXaC0MJzgyaopNPdqzBNII5IWwfjknVy6K6uQCiHx9UCbOfxDre9sp DbgENkagS5P8+lNVOtGHr55n/2bg+kKLOztOKBBp0vqdwaKnKAuE0BZfOx78msgs P+vGhzOARu/y2V/n4AAPPiE9SlRZIQg+oX1+5syzXiRD2dLOUbXqRLmVZwaqLsKG 0oN43Nk= =fmHh -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: lxterminal Source-Version: 0.2.0-1+deb8u1 We believe that the bug you reported is fixed in the latest version of lxterminal, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yao Wei (魏銘廷) <m...@lxde.org> (supplier of updated lxterminal package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 May 2017 11:37:21 +0800 Source: lxterminal Binary: lxterminal lxterminal-dbg Architecture: source Version: 0.2.0-1+deb8u1 Distribution: jessie Urgency: high Maintainer: Debian LXDE Maintainers <lxde-deb...@lists.lxde.org> Changed-By: Yao Wei (魏銘廷) <m...@lxde.org> Description: lxterminal - LXDE terminal emulator lxterminal-dbg - LXDE terminal emulator (debug) Closes: 862098 Changes: lxterminal (0.2.0-1+deb8u1) jessie; urgency=high . * Fix improper use of /tmp for a socket file (CVE-2016-10369) (Closes: #862098) Checksums-Sha1: a4f0568b00b9569e9a5e344bbf5bad6c3192353a 2131 lxterminal_0.2.0-1+deb8u1.dsc 7997e9cc33d691ee4f989fa3f129cfd7ef395902 8800 lxterminal_0.2.0-1+deb8u1.debian.tar.xz ef7b761cc0a13cf307776b9a52e7c8c5d333a52c 11142 lxterminal_0.2.0-1+deb8u1_source.buildinfo Checksums-Sha256: cd0a30fa7390d8a1a3055d32f9904e40842d4a6e5b1c335bbae5344b9edf8823 2131 lxterminal_0.2.0-1+deb8u1.dsc bf053779bfc53fa79a9fc6141fd45fb3dd36d05ab6d4a68ff7446d6c3f0cbafb 8800 lxterminal_0.2.0-1+deb8u1.debian.tar.xz 6c65d17f8fd930961302ab88db42ab2576b117317a198f08784a6333ae0748d3 11142 lxterminal_0.2.0-1+deb8u1_source.buildinfo Files: cd0cbd3e491da80404f799213e3828d9 2131 x11 optional lxterminal_0.2.0-1+deb8u1.dsc a77a87fc76be6decb9e0b8e70ca97a17 8800 x11 optional lxterminal_0.2.0-1+deb8u1.debian.tar.xz 44b9eece0ffa1b24c527df9e876bd194 11142 x11 optional lxterminal_0.2.0-1+deb8u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEE5H9tOJ8ReWWaF1PGrc2MXdaTaQFAllaXRAACgkQGrc2MXda TaTWvBAAvuE0fQpwnRaoldjsONZa/F0LEic089KSWhF9tE59cJWcEKK+zb6GD/Aa pwUNEoA/DeS/Ffmn5Cgc4/Ju0jZQ/mKCqCZgxVM7EJBYpFTKwTMcMeIbwE1tZtxu /QDGtYuHi3cLsBry7v1SXt+YjLarp4rbfgxi20Nh5Ro2+UQ2uTlqXuF65eURHYen QOg/rHVLzRwm0qOhGl8YX4qRobXYxkGLdTDaPMPqU+djL5PrsRFQ7HyIfV0sPcUh oTk7RJw781eC3Esr0FBhKNaZaPSXt+dKDKGR4nGP7yMkDccvBYtUaeX+C+FnrBMC wJvW9tMP+WIOXjG9XTxWRkV47BzjysIjP/5biGV45fT0MEvK+kFwueRy0VqdcCvN HtZ66/++Zi2vQoZxsJjzNR2sa+Q7SyKbf3OUYfNmFUTDm823zbu5/Yzf9q14xYcK rAx1jChiXVwd51zEvD6aVQtNYjqNncWcNpF5LybHMeQQyCmk4ciRnKiU7OzF+8kS TabA+dTUVQ0fb6ca44bT8FzE0XV1E8LCFsRUXi2CDUgpjk/6yEYgWIGjtawLrrqo cd5R5Cki0Wr2djZg/5Hph5zrOoZIuiH89fhBFeJsEpLcRoJKpBfXXbnmgkXVV1dw aCjIKvBdCJ6ON1/wYp3putgN8fzMubWwjkr9PITUrCI6HOrtUCQ= =XWdY -----END PGP SIGNATURE-----
--- End Message ---
