[arch-security] [ASA-201706-26] pcmanfm: denial of service
Remi Gacogne
rgacogne at archlinux.org
Thu Jun 22 12:43:50 UTC 2017
Arch Linux Security Advisory ASA-201706-26
==========================================
Severity: Medium
Date : 2017-06-22
CVE-ID : CVE-2017-8934
Package : pcmanfm
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-274
Summary
=======
The package pcmanfm before version 1.2.5-2 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 1.2.5-2.
# pacman -Syu "pcmanfm>=1.2.5-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
The socket placed in /tmp by pcmanfm is predictable and public-
writable. Therefore if one user placed a symlink to another socket
instead of socket for another user then said another user will either
be unable to use pcmanfm, or may send requests to the first user's
pcmanfm.
Impact
======
A local attacker might be able to cause a denial of service or trick
the user into sending requests to another pcmanfm instance.
References
==========
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862571
https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08
https://security.archlinux.org/CVE-2017-8934
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170622/1d3b3f4d/attachment.asc>
More information about the arch-security
mailing list