Fix CVE-2016-10369: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10369 Patch copied from upstream source repository: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 From f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 Mon Sep 17 00:00:00 2001 From: Yao Wei Date: Mon, 8 May 2017 00:47:55 +0800 Subject: [PATCH] fix: use g_get_user_runtime_dir for socket directory This bug is pointed out by stackexchange user that putting socket file in /tmp is a potential risk. Putting the socket dir in user directory could mitigate the risk. --- src/unixsocket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/unixsocket.c b/src/unixsocket.c index 4c660ac..f88284c 100644 --- a/src/unixsocket.c +++ b/src/unixsocket.c @@ -140,7 +140,8 @@ gboolean lxterminal_socket_initialize(LXTermWindow * lxtermwin, gint argc, gchar * This function returns TRUE if this process should keep running and FALSE if it should exit. */ /* Formulate the path for the Unix domain socket. */ - gchar * socket_path = g_strdup_printf("/tmp/.lxterminal-socket%s-%s", gdk_display_get_name(gdk_display_get_default()), g_get_user_name()); + gchar * socket_path = g_strdup_printf("%s/.lxterminal-socket-%s", g_get_user_runtime_dir(), gdk_display_get_name(gdk_display_get_default())); + printf("%s\n", socket_path); /* Create socket. */ int fd = socket(PF_UNIX, SOCK_STREAM, 0); -- 2.1.4