Bug 20864 - pcmanfm new security issue CVE-2017-8934
Summary: pcmanfm new security issue CVE-2017-8934
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory mga5-32-ok MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-16 00:10 CEST by David Walser
Modified: 2017-06-04 01:36 CEST (History)
5 users (show)

See Also:
Source RPM: pcmanfm-1.2.3-2.2.mga5.src.rpm
CVE: CVE-2017-8934
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-16 00:10:20 CEST 
A security issue fixed upstream in pcmanfm has been announced:
http://openwall.com/lists/oss-security/2017/05/15/4

Mageia 5 is probably also affected.
David Walser 2017-05-16 00:13:58 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Salguero 2017-05-16 10:35:19 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (application unavailability). (CVE-2017-8934)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8934
http://openwall.com/lists/oss-security/2017/05/15/4
========================

Updated packages in core/updates_testing:
========================
pcmanfm-1.2.3-2.3.mga5

from SRPMS:
pcmanfm-1.2.3-2.3.mga5.src.rpm

Source RPM: pcmanfm-1.2.5-2.mga6.src.rpm => pcmanfm-1.2.3-2.2.mga5.src.rpm
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2017-8934
Assignee: lists.jjorge => qa-bugs
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2017-05-21 03:02:10 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 2 Brian Rockwell 2017-06-01 18:01:57 CEST 
$ uname -a
Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 18:41:19 UTC 2017 i686 i686 i686 GNU/Linux

running LXDE in vbox

The following package is going to be installed:

- pcmanfm-1.2.3-2.3.mga5.i586

110B of additional disk space will be used.

269KB of packages will be retrieved.

Is it ok to continue?

I opened it from the terminal and opened some files - it is working properly.

opened via menu - tools - system tools - working as designed.

CC: (none) => brtians1
Whiteboard: advisory => advisory mga5-32-ok

Comment 3 Lewis Smith 2017-06-02 20:42:34 CEST 
Testing M5_64, LXDE

Updated pcmanfm to: pcmanfm-1.2.3-2.3.mga5
Tried various things from the menus as well as normal filesystem browsing. It seems to work as normal. OKing & validating; advisory already there.

Keywords: (none) => validated_update
Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Mageia Robot 2017-06-04 01:36:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0154.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.