Bug 20864 - pcmanfm new security issue CVE-2017-8934
Summary: pcmanfm new security issue CVE-2017-8934
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory mga5-32-ok MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-05-16 00:10 CEST by David Walser
Modified: 2017-06-04 01:36 CEST (History)
5 users (show)

See Also:
Source RPM: pcmanfm-1.2.3-2.2.mga5.src.rpm
CVE: CVE-2017-8934
Status comment:


Description David Walser 2017-05-16 00:10:20 CEST
A security issue fixed upstream in pcmanfm has been announced:

Mageia 5 is probably also affected.
Comment 1 Nicolas Salguero 2017-05-16 10:35:19 CEST
Suggested advisory:

The updated package fixes a security vulnerability:

PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (application unavailability). (CVE-2017-8934)


Updated packages in core/updates_testing:

from SRPMS:
Comment 2 Brian Rockwell 2017-06-01 18:01:57 CEST
$ uname -a
Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 18:41:19 UTC 2017 i686 i686 i686 GNU/Linux

running LXDE in vbox

The following package is going to be installed:

- pcmanfm-1.2.3-2.3.mga5.i586

110B of additional disk space will be used.

269KB of packages will be retrieved.

Is it ok to continue?

I opened it from the terminal and opened some files - it is working properly.

opened via menu - tools - system tools - working as designed.
Comment 3 Lewis Smith 2017-06-02 20:42:34 CEST
Testing M5_64, LXDE

Updated pcmanfm to: pcmanfm-1.2.3-2.3.mga5
Tried various things from the menus as well as normal filesystem browsing. It seems to work as normal. OKing & validating; advisory already there.
Comment 4 Mageia Robot 2017-06-04 01:36:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.