Bug 20815 - lxterminal new security issue CVE-2016-10369
Summary: lxterminal new security issue CVE-2016-10369
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Reported: 2017-05-09 16:29 CEST by David Walser
Modified: 2017-05-10 23:01 CEST (History)
3 users (show)

See Also:
Source RPM: lxterminal-0.3.0-4.mga6.src.rpm
Status comment:


Description David Walser 2017-05-09 16:29:58 CEST
A security issue fixed upstream in lxterminal has been announced:

The message above contains a link to the upstream commit that fixed the issue.

Mageia 5 is probably also affected.
David Walser 2017-05-09 16:30:04 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Salguero 2017-05-10 09:59:03 CEST
Done for Cauldron and Mga5.

Suggested advisory:

The updated package fix a security vulnerability:

unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control). (CVE-2016-10369)


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 5
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 2 Len Lawrence 2017-05-10 16:31:54 CEST
x86_64 on real hardware.

Ran lxterminal from a Mate terminal using this command:

$ lxterminal & sleep 1; lxterminal
[1] 14711
$ ps aux | grep lxterm
lcl      14711  0.3  0.3 432204 24304 pts/1    Sl   14:16   0:00 lxterminal
lcl      14812  0.0  0.0  12256  2244 pts/1    S+   14:17   0:00 grep lxterm

This shows only one instance of lxterminal but in fact there are two active on screen.  See https://unix.stackexchange.com/questions/333539/lxterminal-in-the-netstat-output/333578 for the discussion.

Killed both and ran the update then the double lxterm command.

$ lxterminal & sleep 1 ; lxterminal
[1] 15617
[lcl@belexeuli ~]$ ps aux | grep lxterm
lcl      15617  0.1  0.2 432212 24152 pts/1    Sl   14:25   0:00 lxterminal
lcl      15732  0.0  0.0  12256  2268 pts/1    S+   14:26   0:00 grep lxterm

Typing exit in the two terminals does not remove the socket but if the double command is issued again the socket is overwritten, or maybe reused.  The datestamp changes.
First time:
$ ls -al /run/user/1000
srwxr-xr-x 1 lcl  lcl    0 May 10 15:03 .lxterminal-socket-:0
Second time:
srwxr-xr-x 1 lcl  lcl    0 May 10 15:05 .lxterminal-socket-:0

Not sure of the significance of this but taking this as a sign that the socket allocation is more secure.

CC: (none) => tarazed25

Len Lawrence 2017-05-10 16:32:11 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 3 Len Lawrence 2017-05-10 16:41:57 CEST
i586 in virtualbox

Ran the command
$ lxterminal & sleep 1; lxterminal
which generated two lxterms but only one showed up in the list of processes.

After updating the command showed that a socket in /run/user/1000 was being used for both lxterms.
$ lxterminal & sleep 1 ; lxterminal
[1] 22248

The terminal works as expected.

Giving this the OK.
Len Lawrence 2017-05-10 16:42:16 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 4 Lewis Smith 2017-05-10 18:48:35 CEST
@Len: a good once again!
Validating & advisoried.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-05-10 23:01:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.