community/pcmanfm: fix CVE-2017-8934

author: Natanael Copa <ncopa@alpinelinux.org> 2017-05-22 12:40:58 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2017-05-22 12:40:58 +0000
commit: a28f3503a4b1c9910c9dd1a9984053ba50570029 (patch)
tree: 8412e32ef4e24b6015c9521659c4569d99b631ac
parent: 4a8fa9161a7ecbdd21466efbc067d5397398125a (diff)
download: alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.tar.bz2
alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.tar.xz
alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.zip
2 files changed, 66 insertions, 6 deletions
diff --git a/community/pcmanfm/APKBUILD b/community/pcmanfm/APKBUILD
index f506c52a5c..462808dc64 100644
--- a/community/pcmanfm/APKBUILD
+++ b/community/pcmanfm/APKBUILD
@@ -1,16 +1,21 @@
 # Contributor: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>
-# Maintainer:
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=pcmanfm
 pkgver=1.2.5
-pkgrel=0
+pkgrel=1
 pkgdesc='Extremely fast and lightweight file manager'
 arch='all'
 url='http://pcmanfm.sourceforge.net/'
 license='GPL'
 makedepends='gtk+2.0-dev libfm-dev intltool'
 subpackages="$pkgname-doc $pkgname-lang"
-source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz"
+source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz
+        CVE-2017-8934.patch"
+# secfixes:
+#   1.2.5-r1:
+#     - CVE-2017-8934
 build() {
  cd "$srcdir/$pkgname-$pkgver"
@@ -27,6 +32,5 @@ package() {
    "$pkgdir"/usr/share/applications/pcmanfm.desktop || return 1
 }
-md5sums="b4d1f8ce08d87e4f27805a246fc51ac2  pcmanfm-1.2.5.tar.xz"
+sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3  pcmanfm-1.2.5.tar.xz
-sha256sums="0c86cac028b705ff314c7464d814c2cf7ff604c17491c20aa204b1ef1a80ad67  pcmanfm-1.2.5.tar.xz"
+31c669e61832c1144dac7ef619b8dcdef7ee43f3f40e874695bef6aecc81d53caabb66913ea96ed5c2f5d79ac9bb5379ef317d9428bef837013c18d24da7536e  CVE-2017-8934.patch"
-sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3  pcmanfm-1.2.5.tar.xz"
diff --git a/community/pcmanfm/CVE-2017-8934.patch b/community/pcmanfm/CVE-2017-8934.patch
new file mode 100644
index 0000000000..489d22c83b
--- /dev/null
+++ b/community/pcmanfm/CVE-2017-8934.patch
@@ -0,0 +1,56 @@
+From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
+From: Andriy Grytsenko <andrej@rep.kiev.ua>
+Date: Sun, 14 May 2017 21:35:40 +0300
+Subject: [PATCH] Fix potential access violation, use runtime user dir instead
+ of tmp dir.
+---
+ NEWS              | 4 ++++
+ src/single-inst.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/NEWS b/NEWS
+index 8c2049a..876f7f3 100644
+--- a/NEWS
+++ b/NEWS
+@@ -1,3 +1,7 @@
+* Fixed potential access violation, use runtime user dir instead of tmp dir
+    for single instance socket.
+
+
+ Changes on 1.2.5 since 1.2.4:
+ 
+ * Removed options to Cut, Remove and Rename from context menu on mounted
+diff --git a/src/single-inst.c b/src/single-inst.c
+index 62c37b3..aaf84ab 100644
+--- a/src/single-inst.c
+++ b/src/single-inst.c
+@@ -2,7 +2,7 @@
+  *      single-inst.c: simple IPC mechanism for single instance app
+  *
+  *      Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
+- *      Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+ *      Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+  *
+  *      This program is free software; you can redistribute it and/or modify
+  *      it under the terms of the GNU General Public License as published by
+@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
+     }
+     else
+         dpynum = 0;
+#if GLIB_CHECK_VERSION(2, 28, 0)
+    g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
+               data->prog_name, host ? host : "", dpynum);
+#else
+     g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
+                 g_get_tmp_dir(),
+                 data->prog_name,
+                 host ? host : "",
+                 dpynum,
+                 g_get_user_name());
+#endif
+ }
+ 
+-- 
+2.1.4
author	Natanael Copa <ncopa@alpinelinux.org>	2017-05-22 12:40:58 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2017-05-22 12:40:58 +0000
commit	a28f3503a4b1c9910c9dd1a9984053ba50570029 (patch)
tree	8412e32ef4e24b6015c9521659c4569d99b631ac
parent	4a8fa9161a7ecbdd21466efbc067d5397398125a (diff)
download	alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.tar.bz2 alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.tar.xz alpine_aports-a28f3503a4b1c9910c9dd1a9984053ba50570029.zip

diff --git a/community/pcmanfm/APKBUILD b/community/pcmanfm/APKBUILD index f506c52a5c..462808dc64 100644 --- a/community/pcmanfm/APKBUILD +++ b/community/pcmanfm/APKBUILD
@@ -1,16 +1,21 @@
1	# Contributor: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>	1	# Contributor: Bartłomiej Piotrowski <bpiotrowski@alpinelinux.org>
2	# Maintainer:	2	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
3		3
4	pkgname=pcmanfm	4	pkgname=pcmanfm
5	pkgver=1.2.5	5	pkgver=1.2.5
6	pkgrel=0	6	pkgrel=1
7	pkgdesc='Extremely fast and lightweight file manager'	7	pkgdesc='Extremely fast and lightweight file manager'
8	arch='all'	8	arch='all'
9	url='http://pcmanfm.sourceforge.net/'	9	url='http://pcmanfm.sourceforge.net/'
10	license='GPL'	10	license='GPL'
11	makedepends='gtk+2.0-dev libfm-dev intltool'	11	makedepends='gtk+2.0-dev libfm-dev intltool'
12	subpackages="$pkgname-doc $pkgname-lang"	12	subpackages="$pkgname-doc $pkgname-lang"
13	source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz"	13	source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.xz
		14	CVE-2017-8934.patch"
		15
		16	# secfixes:
		17	# 1.2.5-r1:
		18	# - CVE-2017-8934
14		19
15	build() {	20	build() {
16	cd "$srcdir/$pkgname-$pkgver"	21	cd "$srcdir/$pkgname-$pkgver"
@@ -27,6 +32,5 @@ package() {
27	"$pkgdir"/usr/share/applications/pcmanfm.desktop \|\| return 1	32	"$pkgdir"/usr/share/applications/pcmanfm.desktop \|\| return 1
28	}	33	}
29		34
30	md5sums="b4d1f8ce08d87e4f27805a246fc51ac2 pcmanfm-1.2.5.tar.xz"	35	sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3 pcmanfm-1.2.5.tar.xz
31	sha256sums="0c86cac028b705ff314c7464d814c2cf7ff604c17491c20aa204b1ef1a80ad67 pcmanfm-1.2.5.tar.xz"	36	31c669e61832c1144dac7ef619b8dcdef7ee43f3f40e874695bef6aecc81d53caabb66913ea96ed5c2f5d79ac9bb5379ef317d9428bef837013c18d24da7536e CVE-2017-8934.patch"
32	sha512sums="ce53315483f58361c5a7797bdca355dbbedc2cf3907d319c7c65be844ea74ed297497dc3183c903e06b8294f6301d19347f6b9871e34bf773c04ff4fb8ab32f3 pcmanfm-1.2.5.tar.xz"


diff --git a/community/pcmanfm/CVE-2017-8934.patch b/community/pcmanfm/CVE-2017-8934.patch new file mode 100644 index 0000000000..489d22c83b --- /dev/null +++ b/community/pcmanfm/CVE-2017-8934.patch
@@ -0,0 +1,56 @@
		1	From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
		2	From: Andriy Grytsenko <andrej@rep.kiev.ua>
		3	Date: Sun, 14 May 2017 21:35:40 +0300
		4	Subject: [PATCH] Fix potential access violation, use runtime user dir instead
		5	of tmp dir.
		6
		7	---
		8	NEWS \| 4 ++++
		9	src/single-inst.c \| 7 ++++++-
		10	2 files changed, 10 insertions(+), 1 deletion(-)
		11
		12	diff --git a/NEWS b/NEWS
		13	index 8c2049a..876f7f3 100644
		14	--- a/NEWS
		15	+++ b/NEWS
		16	@@ -1,3 +1,7 @@
		17	+* Fixed potential access violation, use runtime user dir instead of tmp dir
		18	+ for single instance socket.
		19	+
		20	+
		21	Changes on 1.2.5 since 1.2.4:
		22
		23	* Removed options to Cut, Remove and Rename from context menu on mounted
		24	diff --git a/src/single-inst.c b/src/single-inst.c
		25	index 62c37b3..aaf84ab 100644
		26	--- a/src/single-inst.c
		27	+++ b/src/single-inst.c
		28	@@ -2,7 +2,7 @@
		29	* single-inst.c: simple IPC mechanism for single instance app
		30	*
		31	* Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
		32	- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
		33	+ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
		34	*
		35	* This program is free software; you can redistribute it and/or modify
		36	* it under the terms of the GNU General Public License as published by
		37	@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
		38	}
		39	else
		40	dpynum = 0;
		41	+#if GLIB_CHECK_VERSION(2, 28, 0)
		42	+ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
		43	+ data->prog_name, host ? host : "", dpynum);
		44	+#else
		45	g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
		46	g_get_tmp_dir(),
		47	data->prog_name,
		48	host ? host : "",
		49	dpynum,
		50	g_get_user_name());
		51	+#endif
		52	}
		53
		54	--
		55	2.1.4
		56