Commit a28f3503 authored by Natanael Copa's avatar Natanael Copa

community/pcmanfm: fix CVE-2017-8934

parent 4a8fa916
# Contributor: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org> # Contributor: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>
# Maintainer: # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pcmanfm pkgname=pcmanfm
pkgver=1.2.5 pkgver=1.2.5
pkgrel=0 pkgrel=1
pkgdesc='Extremely fast and lightweight file manager' pkgdesc='Extremely fast and lightweight file manager'
arch='all' arch='all'
url='http://pcmanfm.sourceforge.net/' url='http://pcmanfm.sourceforge.net/'
license='GPL' license='GPL'
makedepends='gtk+2.0-dev libfm-dev intltool' makedepends='gtk+2.0-dev libfm-dev intltool'
subpackages="$pkgname-doc $pkgname-lang" subpackages="$pkgname-doc $pkgname-lang"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2017-8934.patch"
# secfixes:
# 1.2.5-r1:
# - CVE-2017-8934
build() { build() {
cd "$srcdir/$pkgname-$pkgver" cd "$srcdir/$pkgname-$pkgver"
...@@ -27,6 +32,5 @@ package() { ...@@ -27,6 +32,5 @@ package() {
"$pkgdir"/usr/share/applications/pcmanfm.desktop || return 1 "$pkgdir"/usr/share/applications/pcmanfm.desktop || return 1
} }
md5sums="b4d1f8ce08d87e4f27805a246fc51ac2 pcmanfm-1.2.5.tar.xz" sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3 pcmanfm-1.2.5.tar.xz
sha256sums="0c86cac028b705ff314c7464d814c2cf7ff604c17491c20aa204b1ef1a80ad67 pcmanfm-1.2.5.tar.xz" 31c669e61832c1144dac7ef619b8dcdef7ee43f3f40e874695bef6aecc81d53caabb66913ea96ed5c2f5d79ac9bb5379ef317d9428bef837013c18d24da7536e CVE-2017-8934.patch"
sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3 pcmanfm-1.2.5.tar.xz"
From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
From: Andriy Grytsenko <andrej@rep.kiev.ua>
Date: Sun, 14 May 2017 21:35:40 +0300
Subject: [PATCH] Fix potential access violation, use runtime user dir instead
of tmp dir.
---
NEWS | 4 ++++
src/single-inst.c | 7 ++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 8c2049a..876f7f3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+* Fixed potential access violation, use runtime user dir instead of tmp dir
+ for single instance socket.
+
+
Changes on 1.2.5 since 1.2.4:
* Removed options to Cut, Remove and Rename from context menu on mounted
diff --git a/src/single-inst.c b/src/single-inst.c
index 62c37b3..aaf84ab 100644
--- a/src/single-inst.c
+++ b/src/single-inst.c
@@ -2,7 +2,7 @@
* single-inst.c: simple IPC mechanism for single instance app
*
* Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
}
else
dpynum = 0;
+#if GLIB_CHECK_VERSION(2, 28, 0)
+ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
+ data->prog_name, host ? host : "", dpynum);
+#else
g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
g_get_tmp_dir(),
data->prog_name,
host ? host : "",
dpynum,
g_get_user_name());
+#endif
}
--
2.1.4
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment