aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrendan Tildesley <brendan.tildesley@openmailbox.org>2017-11-24 02:57:00 +1100
committerLudovic Courtès <ludo@gnu.org>2017-11-23 22:55:58 +0100
commit327620dc7213362cf329a80992a873445bcb1624 (patch)
treeefd9cd2c42515f92c39b1a96a88d849fb42e2df5
parent0dcad042a5180d275a96d2870092f40a4f7542ec (diff)
downloadpatches-327620dc7213362cf329a80992a873445bcb1624.tar
patches-327620dc7213362cf329a80992a873445bcb1624.tar.gz
gnu: pcmanfm: Fix CVE-2017-8934.
* gnu/packages/patches/pcmanfm-CVE-2017-8934.patch: New file. This patch was imported from Arch Linux. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/lxde.scm (pcmanfm)[source]: Use it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/lxde.scm1
-rw-r--r--gnu/packages/patches/pcmanfm-CVE-2017-8934.patch56
3 files changed, 58 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 0993c45873..e8ad12295e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -945,6 +945,7 @@ dist_patch_DATA = \
%D%/packages/patches/patchelf-rework-for-arm.patch \
%D%/packages/patches/patchutils-xfail-gendiff-tests.patch \
%D%/packages/patches/patch-hurd-path-max.patch \
+ %D%/packages/patches/pcmanfm-CVE-2017-8934.patch \
%D%/packages/patches/pcre-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-7186.patch \
%D%/packages/patches/pcre2-CVE-2017-8786.patch \
diff --git a/gnu/packages/lxde.scm b/gnu/packages/lxde.scm
index 44e5da444d..7d0aaa6503 100644
--- a/gnu/packages/lxde.scm
+++ b/gnu/packages/lxde.scm
@@ -215,6 +215,7 @@ speed up the access to freedesktop.org defined application menus.")
(uri (string-append "mirror://sourceforge/" name "/"
"PCManFM%20%2B%20Libfm%20%28tarball%20release"
"%29/PCManFM/" name "-" version ".tar.xz"))
+ (patches (search-patches "pcmanfm-CVE-2017-8934.patch"))
(sha256
(base32
"0rxdh0dfzc84l85c54blq42gczygq8adhr3l9hqzy1dp530cm1hc"))))
diff --git a/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch
new file mode 100644
index 0000000000..489d22c83b
--- /dev/null
+++ b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch
@@ -0,0 +1,56 @@
+From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
+From: Andriy Grytsenko <andrej@rep.kiev.ua>
+Date: Sun, 14 May 2017 21:35:40 +0300
+Subject: [PATCH] Fix potential access violation, use runtime user dir instead
+ of tmp dir.
+
+---
+ NEWS | 4 ++++
+ src/single-inst.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 8c2049a..876f7f3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,7 @@
++* Fixed potential access violation, use runtime user dir instead of tmp dir
++ for single instance socket.
++
++
+ Changes on 1.2.5 since 1.2.4:
+
+ * Removed options to Cut, Remove and Rename from context menu on mounted
+diff --git a/src/single-inst.c b/src/single-inst.c
+index 62c37b3..aaf84ab 100644
+--- a/src/single-inst.c
++++ b/src/single-inst.c
+@@ -2,7 +2,7 @@
+ * single-inst.c: simple IPC mechanism for single instance app
+ *
+ * Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
+- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
+ }
+ else
+ dpynum = 0;
++#if GLIB_CHECK_VERSION(2, 28, 0)
++ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
++ data->prog_name, host ? host : "", dpynum);
++#else
+ g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
+ g_get_tmp_dir(),
+ data->prog_name,
+ host ? host : "",
+ dpynum,
+ g_get_user_name());
++#endif
+ }
+
+--
+2.1.4
+