[Pkg-lxde-maintainers] Bug#862571: pcmanfm: single instance socket may be blocked by another user.
Andriy Grytsenko
andrej at rep.kiev.ua
Sun May 14 19:28:24 UTC 2017
Package: pcmanfm
Version: 1.2.5-2
Version: 1.2.3-1.1
Severity: serious
Tags: upstream security
The socket placed in /tmp is predictable and public-writable. Therefore
if one user placed a symlink to another socket instead of socket for
another user then said another user will either be unable to use pcmanfm,
or may send requests to the first user's pcmanfm. Upstream released a fix
for this issue:
https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08
More information about the Pkg-lxde-maintainers
mailing list