Arch Linux Security Advisory ASA-201706-26 ========================================== Severity: Medium Date : 2017-06-22 CVE-ID : CVE-2017-8934 Package : pcmanfm Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-274 Summary ======= The package pcmanfm before version 1.2.5-2 is vulnerable to denial of service. Resolution ========== Upgrade to 1.2.5-2. # pacman -Syu "pcmanfm>=1.2.5-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== The socket placed in /tmp by pcmanfm is predictable and public- writable. Therefore if one user placed a symlink to another socket instead of socket for another user then said another user will either be unable to use pcmanfm, or may send requests to the first user's pcmanfm. Impact ====== A local attacker might be able to cause a denial of service or trick the user into sending requests to another pcmanfm instance. References ========== https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862571 https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08 https://security.archlinux.org/CVE-2017-8934