[CVE] socket can be blocked by another user

In order to fix this, we can just sync 0.3.0-2 from Sid to Zesty. Here is the changelog for 0.3.0-2:

lxterminal (0.3.0-2) unstable; urgency=high

  * Fix improper use of /tmp for a socket file. (CVE-2016-10369)
    (Closes: #862098)
  * Fix tab renaming dialog. (Closes: #862096)

 -- Yao Wei (魏銘廷) <email address hidden> Tue, 09 May 2017 12:13:07 +0800

The first entry is fixing the CVE that this bug is about, and the second entry is fixing a bug that we would have to upload anyways "unable to rename tabs" and that's perfectly valid for an SRU, in my opinion.

Security team, I think there's a few options here:
 1. Make an Ubuntu delta with only this CVE in Zesty, upload it to zesty-security, and file a separate SRU bug to get the additional patch from Debian in there. I think, technically speaking, this follows the most rules.
 2. Just sync from Debian Sid as shown above, and skip the SRU docs for the additional part of the upload. This would be the easiest, and it would be simpler.

Thoughts?

Hi Simon - Thanks for the bug report. The tab renaming bug fix is more appropriate for the SRU process. Could you attach a debdiff for zesty-security that only addresses CVE-2016-10369? Thanks!

This bug was fixed in the package lxterminal - 0.3.0-1ubuntu0.1

---------------
lxterminal (0.3.0-1ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/01-cve-2016-10369.diff: use per-user runtime
      directory for socket
    - CVE-2016-10369

 -- Steve Beattie <email address hidden> Fri, 19 May 2017 11:21:56 -0700

Whoops, it seems this also affects Xenial and Trusty. I'll get a fix ASAP.

Attached is a debdiff for Xenial applicable to 0.2.0-1.

Whoops, I accidentally forgot to change the release to xenial-security, so here's an updated patch...

Attached is a debdiff for Trusty applicable to 0.1.11-4ubuntu3.

For both of my debdiffs, I had to do some backporting using the methods used in the older code and I had to substitute the old methods in for the new ones when applying the patch, if that makes sense. To be more specific, here's what upstream did on the master branch:

- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name());
+ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default()));
+ printf("%s\n", socket_path);

But here's what the existing code looked like in both the 0.2.0 and the 0.1.11 tags:

    gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());

As you can probably tell, the newer code changed compared to the old code. So I adapted the patch for the older methods used in the code, and here's what I ended up with:

- gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_get_display(), g_get_user_name());
+ gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_get_display());
+ printf("%s\n", socket_path);

After testing this out from my PPA (ppa:tsimonq2/lxterminal-bug-1690416) on both a Trusty and a Xenial system, it works just as intended (it creates the file in the correct location rather than in /tmp).

Any concerns with my logic there?

Hi Simon - These backports look good to me. I've uploaded them to ppa:ubuntu-security-proposed/ppa and will release them later today. Thank you and sorry about the delay in getting these sponsored.

This bug was fixed in the package lxterminal - 0.2.0-1ubuntu0.1

---------------
lxterminal (0.2.0-1ubuntu0.1) xenial-security; urgency=high

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/fix-CVE-2016-10369.patch
    - CVE-2016-10369

 -- Simon Quigley <email address hidden> Tue, 11 Jul 2017 00:48:57 -0500

This bug was fixed in the package lxterminal - 0.1.11-4ubuntu3.1

---------------
lxterminal (0.1.11-4ubuntu3.1) trusty-security; urgency=high

  * SECURITY UPDATE: insecure /tmp use denial of service (LP: #1690416)
    - debian/patches/fix-CVE-2016-10369.patch
    - CVE-2016-10369

 -- Simon Quigley <email address hidden> Tue, 11 Jul 2017 01:19:58 -0500