Mailinglist Archive: opensuse-bugs (4295 mails)

< Previous Next >
[Bug 1039138] New: VUL-0: CVE-2017-8933: libmenu-cache3: predictable and public-writable socket placed in /tmp
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 15 May 2017 15:55:18 +0000
  • Message-id: <bug-1039138-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1039138


Bug ID: 1039138
Summary: VUL-0: CVE-2017-8933: libmenu-cache3: predictable and
public-writable socket placed in /tmp
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q2/260
============================================
The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another use then said another user will either be unable to get menu, or
will receive menu of some other user.

This bug has been assigned to CVE-2017-8933 [1]. A fix has been
committed to menu-cache's git repository [2]. LXDE developers are
working on a release which fixes the problem.

[1]:
https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce
============================================

(open-)SUSE: https://software.opensuse.org/package/libmenu-cache3

1.0.2 (TW, official)
1.0.0 (42.{1,2}, official)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups