[Secure-testing-team] Bug#862098: lxterminal: socket can be blocked by another user

[Yao Wei (=?UTF-8?Q?=E9=AD=8F=E9=8A=98=E5=BB=B7?=)]

Package: lxterminal
Version: 0.3.0-1
Severity: grave
Tags: upstream patch security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This vulnerability is discussed in a Stackexchange website:

https://unix.stackexchange.com/questions/333539/lxterminal-in-the-netstat-output/333578

The socket placed in /tmp is predictable and public-writable, Therefore
if Alice placed a file or lxterminal socket in
/tmp/.lxterminal-socket:0-bob, bob is unable to open lxterminal, or open
a lxterminal instance for Alice.

This bug is fixed in the commit:
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxterminal depends on:
ii  libatk1.0-0          2.22.0-1
ii  libc6                2.24-10
ii  libcairo2            1.14.8-1
ii  libfontconfig1       2.11.0-6.7+b1
ii  libfreetype6         2.6.3-3.2
ii  libgdk-pixbuf2.0-0   2.36.5-2
ii  libglib2.0-0         2.50.3-2
ii  libgtk2.0-0          2.24.31-2
ii  libpango-1.0-0       1.40.5-1
ii  libpangocairo-1.0-0  1.40.5-1
ii  libpangoft2-1.0-0    1.40.5-1
ii  libvte9              1:0.28.2-5+b2
ii  libx11-6             2:1.6.4-3
ii  libxext6             2:1.3.3-1+b2

lxterminal recommends no packages.

lxterminal suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCAAsFiEE/tVDSEUoffJikxSJz7v84LdPGxQFAlkQbdkOHG13ZWlAbHhk
ZS5vcmcACgkQz7v84LdPGxSZuA/+NEEhU73k2esU8FveOzTc0ei0b5NLC2y5zvY/
/To8BTaUJAQE3J1icvgV3JRPJI8YOin5Ombz1n+4URt+f17G00mWplyGQgFiXcKP
oooPl93If2rfi3POFM3MoC6grRc5UdwpUcTimwaX4OEE/PUZNHnfoNI2pWPk0Z34
AcGVqbJzxagpqzwvzsjjHC2EOncSeTfm2nZzUIwWfXV+LdGgq2Sf2oyaAYH/QnuV
bvGAGgCZCNFejn9m3VHA7SIEU8AV+/FaJ/8sT5WJIyWWBoEBkcig50Ya5UG71zVq
VTixWAbnCLhfQ44xKsFvGD+h6LH4c6qgQxnxk16yQrUOAZsIFHDuc9xIMBJtGLJt
G3hZFY7x0sry4GVgHdqDvxI51UgWuZuUJNTTtXOuu0Yno0gcwY8TCC3QBtIk+4kQ
61tTbNoho7wTjn8reY+SgcUXeLdUAbKXdcv3IOp25LmiPLHV5dGfnRXH8Gw/ZQCz
B9Tli0Ge3yNXaC0MJzgyaopNPdqzBNII5IWwfjknVy6K6uQCiHx9UCbOfxDre9sp
DbgENkagS5P8+lNVOtGHr55n/2bg+kKLOztOKBBp0vqdwaKnKAuE0BZfOx78msgs
P+vGhzOARu/y2V/n4AAPPiE9SlRZIQg+oX1+5syzXiRD2dLOUbXqRLmVZwaqLsKG
0oN43Nk=
=fmHh
-----END PGP SIGNATURE-----