Bugzilla – Bug 1039138
VUL-0: CVE-2017-8933: menu-cache: predictable and public-writable socket placed in /tmp
Last modified: 2024-05-08 14:24:20 UTC
Ref: http://seclists.org/oss-sec/2017/q2/260 ============================================ The socket placed in /tmp is predictable and public-writable. Therefore if one user placed a symlink to another socket instead of socket for another use then said another user will either be unable to get menu, or will receive menu of some other user. This bug has been assigned to CVE-2017-8933 [1]. A fix has been committed to menu-cache's git repository [2]. LXDE developers are working on a release which fixes the problem. [1]: https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce ============================================ (open-)SUSE: https://software.opensuse.org/package/libmenu-cache3 1.0.2 (TW, official) 1.0.0 (42.{1,2}, official)
openSUSE only. Source package is menu-cache. Assign to maintainer.
This is fixed in version 1.1.0 via https://github.com/lxde/menu-cache/commit/56f66684592abf257c4004e6e1fff041c64a12ce. openSUSE_Backports_SLE-15-SP5_Update and Factory contain 1.1.0.