Arch Linux Security Advisory ASA-201706-26

Severity: Medium
Date : 2017-06-22
CVE-ID : CVE-2017-8934
Package : pcmanfm
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-274

Summary

The package pcmanfm before version 1.2.5-2 is vulnerable to denial of
service.

Resolution

Upgrade to 1.2.5-2.

pacman -Syu “pcmanfm>=1.2.5-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

The socket placed in /tmp by pcmanfm is predictable and public-
writable. Therefore if one user placed a symlink to another socket
instead of socket for another user then said another user will either
be unable to use pcmanfm, or may send requests to the first user’s
pcmanfm.

Impact

A local attacker might be able to cause a denial of service or trick
the user into sending requests to another pcmanfm instance.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862571
https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08
https://security.archlinux.org/CVE-2017-8934