Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618622 (CVE-2017-8934)

Summary: <x11-misc/pcmanfm-1.2.3: Insecure temporary file creation in get_socket_name function
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hwoarang, lxde
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1451064
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 625180    

Description Agostino Sarubbo gentoo-dev 2017-05-16 07:23:51 UTC
From ${URL} :

Insecure temporary file creation in get_socket_name function was found leading to potential access violation.

Upstream patch:

https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 charles17 2017-07-17 08:16:03 UTC
https://github.com/gentoo/gentoo/pull/5118
Comment 2 David Seifert gentoo-dev 2017-07-30 15:14:13 UTC
commit 3e7da11f260f36acddc64b074d2eef63bb1a14b6
Author: charIes17 <charles17@arcor.de>
Date:   Mon Jul 17 09:36:09 2017 +0200

    x11-misc/pcmanfm: Add patch for CVE-2017-8934
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=618622
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=624938
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-06 20:04:28 UTC
GLSA Vote: No
Comment 4 Sam James gentoo-dev Security 2020-03-18 03:03:54 UTC
(Note that this didn't get a revbump for the patch, but it is there.)
Comment 5 Hanno Böck gentoo-dev 2020-03-18 06:34:38 UTC
(In reply to sam_c (Security Padawan) from comment #4)
> (Note that this didn't get a revbump for the patch, but it is there.)

In the meantime a new version has been added and is also stabilized on all archs, so I'm going to fix this by removing the older versions.