From ${URL} : Insecure temporary file creation in get_socket_name function was found leading to potential access violation. Upstream patch: https://github.com/lxde/menu-cache/commit/56f66684592abf257c4004e6e1fff041c64a12ce @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
https://github.com/gentoo/gentoo/pull/5355
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f661657090a6b55025e0ea37dcef73692c159c6c commit f661657090a6b55025e0ea37dcef73692c159c6c Author: charIes17 <charles17@arcor.de> AuthorDate: 2017-12-13 20:09:07 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-03-05 21:57:53 +0000 lxde-base/menu-cache: fix against CVE-2017-8933. Package-Manager: Portage-2.3.13, Repoman-2.3.3 Bug: https://bugs.gentoo.org/618620 Closes: https://github.com/gentoo/gentoo/pull/5355 .../files/menu-cache-1.0.2-CVE-2017-8933.patch | 122 +++++++++++++++++++++ lxde-base/menu-cache/menu-cache-1.0.2-r1.ebuild | 22 ++++ 2 files changed, 144 insertions(+)}
*** Bug 649706 has been marked as a duplicate of this bug. ***
(In reply to Agostino Sarubbo from comment #0) > From ${URL} : > > @maintainer(s): after the bump, in case we need to stabilize the package, > please let us know if it is ready for the stabilization or not. I have no authorisation for adding STABLEREQ here. Someone else needs to do.
1.0.2-r1 is no longer in the tree, but 1.1.0 carries the patch and is stable. @maintainers, please drop lxde-base/menu-cache-1.0.2