From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH 1/2] main/lxterminal: security fix for CVE-2016-10369
Date: Mon,  7 Aug 2017 11:39:54 -0400
Message-Id: <20170807153956.14312-1-dsabogalcc@gmail.com>
Precedence: list

---
 main/lxterminal/APKBUILD             | 12 +++++++++---
 main/lxterminal/CVE-2016-10369.patch | 26 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 main/lxterminal/CVE-2016-10369.patch

diff --git a/main/lxterminal/APKBUILD b/main/lxterminal/APKBUILD
index 7f227a50ba..534d0bd007 100644
--- a/main/lxterminal/APKBUILD
+++ b/main/lxterminal/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=lxterminal
 pkgver=0.3.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Desktop-independent VTE-based terminal emulator"
 url="http://lxde.org/"
 arch="all"
@@ -11,9 +11,14 @@ depends=""
 makedepends="vte-dev"
 install=""
 subpackages="$pkgname-doc $pkgname-lang"
-source="https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz"
+source="https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz
+	CVE-2016-10369.patch"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   0.3.0-r1:
+#     - CVE-2016-10369
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -33,4 +38,5 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }
 
-sha512sums="05eb6ef8904de9e34a4046ded67d3cece5a93a5b19d37d423f3bde67051a2f0a0e3195443669709a8b732d27246852353a2c9ba59026f9d71f8df6bb1152e37f  lxterminal-0.3.0.tar.xz"
+sha512sums="05eb6ef8904de9e34a4046ded67d3cece5a93a5b19d37d423f3bde67051a2f0a0e3195443669709a8b732d27246852353a2c9ba59026f9d71f8df6bb1152e37f  lxterminal-0.3.0.tar.xz
+e9fc3d612a8a59e4fb7cd5c339759a7450c8829caa3645e9c859e603a450a173a9215670598d696dc8830de1c78b4a62959bfdb166962cd869ae5a9ec8bab33d  CVE-2016-10369.patch"
diff --git a/main/lxterminal/CVE-2016-10369.patch b/main/lxterminal/CVE-2016-10369.patch
new file mode 100644
index 0000000000..170ad884be
--- /dev/null
+++ b/main/lxterminal/CVE-2016-10369.patch
@@ -0,0 +1,26 @@
+From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001
+From: Yao Wei <mwei@lxde.org>
+Date: Mon, 8 May 2017 00:47:55 +0800
+Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory
+
+This bug is pointed out by stackexchange user that putting socket file in
+/tmp is a potential risk. Putting the socket dir in user directory could
+mitigate the risk.
+---
+ src/unixsocket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/unixsocket.c b/src/unixsocket.c
+index 4c660ac..f88284c 100644
+--- a/src/unixsocket.c
++++ b/src/unixsocket.c
+@@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar
+      * This function returns TRUE if this process should keep running and FALSE if it should exit. */
+ 
+     /* Formulate the path for the Unix domain socket. */
+-    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
++    gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
++    printf("%s\n", socket_path);
+ 
+     /* Create socket. */
+     int fd = socket(PF_UNIX, SOCK_STREAM, 0);
-- 
2.13.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---