Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20170515153135.g4n5kcqvk5ghdb4m@madoka.m-wei.net>
Date: Mon, 15 May 2017 23:31:35 +0800
From: Yao Wei <mwei@...e.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-8933 libmenu-cache: socket may be blocked by another user

The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another use then said another user will either be unable to get menu, or
will receive menu of some other user.

This bug has been assigned to CVE-2017-8933 [1].  A fix has been
committed to menu-cache's git repository [2].  LXDE developers are
working on a release which fixes the problem.

[1]: https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.