http://bugzilla.opensuse.org/show_bug.cgi?id=1039140 Bug ID: 1039140 Summary: VUL-0: CVE-2017-8934: pcmanfm: single instance socket may be blocked by another user Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q2/261 ============================================= The socket placed in /tmp is predictable and public-writable. Therefore if one user placed a symlink to another socket instead of socket for another user then said another user will either be unable to use pcmanfm, or may send requests to the first user's pcmanfm. This bug has been assigned to CVE-2017-8934 [1]. A fix has been committed to pcmanfm's git repository [2]. LXDE developers are working on a release which fixes the problem. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8934 [2]: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ec... ============================================= (open-)SUSE: https://software.opensuse.org/package/pcmanfm 1.2.5 (TW, official repo) 1.2.3 (42.{1,2}, official repo) -- You are receiving this mail because: You are on the CC list for the bug.