[Pkg-lxde-maintainers] Bug#862570: libmenu-cache: menu-cached socket may be blocked by another user.

Andriy Grytsenko andrej at rep.kiev.ua
Sun May 14 19:17:18 UTC 2017


Package: libmenu-cache3
Version: 1.0.2-2
Severity: serious
Tags: upstream security

The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another use then said another user will either be unable to get menu, or
will receive menu of some other user. Upstream released a fix for this
issue:

https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce



More information about the Pkg-lxde-maintainers mailing list