[arch-commits] Commit in menu-cache/trunk (Fix-CVE-2017-8933.patch PKGBUILD)

Balló György bgyorgy at archlinux.org
Sun Jun 18 09:15:10 UTC 2017 

    Date: Sunday, June 18, 2017 @ 09:15:09
  Author: bgyorgy
Revision: 238022

upgpkg: menu-cache 1.0.2-2

Fix CVE-2017-8933 (FS#54082)

Added:
  menu-cache/trunk/Fix-CVE-2017-8933.patch
Modified:
  menu-cache/trunk/PKGBUILD

-------------------------+
 Fix-CVE-2017-8933.patch |   71 ++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD                |   13 ++++++--
 2 files changed, 81 insertions(+), 3 deletions(-)

Added: Fix-CVE-2017-8933.patch
===================================================================
--- Fix-CVE-2017-8933.patch	                        (rev 0)
+++ Fix-CVE-2017-8933.patch	2017-06-18 09:15:09 UTC (rev 238022)
@@ -0,0 +1,71 @@
+From 56f66684592abf257c4004e6e1fff041c64a12ce Mon Sep 17 00:00:00 2001
+From: Andriy Grytsenko <andrej at rep.kiev.ua>
+Date: Sun, 14 May 2017 21:28:00 +0300
+Subject: [PATCH] Fix potential access violation, use runtime user dir instead
+ of tmp dir.
+
+Note: it limits libmenu-cache compatibility to menu-cached >= 0.7.0.
+---
+ NEWS                            | 3 +++
+ libmenu-cache/menu-cache.c      | 7 ++++++-
+ menu-cache-daemon/menu-cached.c | 3 +++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index f7f12e6..6177e9d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,9 @@
+ * Added new API menu_cache_app_get_generic_name() to get generic
+     name for application.
+ 
++* Fixed potential access violation, use runtime user dir instead of tmp dir.
++    It limits libmenu-cache compatibility to menu-cached >= 0.7.0.
++
+ 
+ Changes in 1.0.2 since 1.0.1:
+ 
+diff --git a/libmenu-cache/menu-cache.c b/libmenu-cache/menu-cache.c
+index 9e3e0db..d914127 100644
+--- a/libmenu-cache/menu-cache.c
++++ b/libmenu-cache/menu-cache.c
+@@ -3,7 +3,7 @@
+  *
+  *      Copyright 2008 PCMan <pcman.tw at gmail.com>
+  *      Copyright 2009 Jürgen Hötzel <juergen at archlinux.org>
+- *      Copyright 2012-2015 Andriy Grytsenko (LStranger) <andrej at rep.kiev.ua>
++ *      Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej at rep.kiev.ua>
+  *
+  *      This library is free software; you can redistribute it and/or
+  *      modify it under the terms of the GNU Lesser General Public
+@@ -1538,8 +1538,13 @@ static void get_socket_name( char* buf, int len )
+         if(*p)
+             *p = '\0';
+     }
++#if GLIB_CHECK_VERSION(2, 28, 0)
++    g_snprintf( buf, len, "%s/menu-cached-%s", g_get_user_runtime_dir(),
++                dpy ? dpy : ":0" );
++#else
+     g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(),
+                 dpy ? dpy : ":0", g_get_user_name() );
++#endif
+     g_free(dpy);
+ }
+ 
+diff --git a/menu-cache-daemon/menu-cached.c b/menu-cache-daemon/menu-cached.c
+index a6895ee..c100484 100644
+--- a/menu-cache-daemon/menu-cached.c
++++ b/menu-cache-daemon/menu-cached.c
+@@ -473,6 +473,9 @@ static void get_socket_name( char* buf, int len )
+         if(*p)
+             *p = '\0';
+     }
++    /* NOTE: this socket name is incompatible with versions > 1.0.2,
++            although this function is never used since 0.7.0 but
++            libmenu-cache always requests exact socket name instead */
+     g_snprintf( buf, len, "%s/.menu-cached-%s-%s", g_get_tmp_dir(),
+                 dpy ? dpy : ":0", g_get_user_name() );
+     g_free(dpy);
+-- 
+2.1.4
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-06-18 08:57:04 UTC (rev 238021)
+++ PKGBUILD	2017-06-18 09:15:09 UTC (rev 238022)
@@ -6,7 +6,7 @@
 
 pkgname=menu-cache
 pkgver=1.0.2
-pkgrel=1
+pkgrel=2
 pkgdesc='Caching mechanism for freedesktop.org compliant menus'
 arch=('i686' 'x86_64')
 license=('GPL2')
@@ -13,9 +13,16 @@
 url='http://lxde.org/'
 depends=('libfm-extra')
 makedepends=('gtk-doc')
-source=(https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz)
-sha256sums=('6f83edf2de34f83e701dcb52145d755250a5677580cd413476cc4d7f2d2012d5')
+source=(https://downloads.sourceforge.net/lxde/$pkgname-$pkgver.tar.xz
+        Fix-CVE-2017-8933.patch)
+sha256sums=('6f83edf2de34f83e701dcb52145d755250a5677580cd413476cc4d7f2d2012d5'
+            'd0ee65717d07ae423bac48d0676989cec624674bdacd3619f5d9fcc64c9e5796')
 
+prepare() {
+  cd $pkgname-$pkgver
+  patch -Np1 -i ../Fix-CVE-2017-8933.patch
+}
+
 build() {
   cd $pkgname-$pkgver
   ./configure --prefix=/usr --sysconfdir=/etc \

More information about the arch-commits mailing list