Arch Linux: ASA-201707-15 Medium: Thunar Denial Of Service

Arch Linux Security Advisory ASA-201706-26
=========================================
Severity: Medium
Date    : 2017-06-22
CVE-ID  : CVE-2017-8934
Package : pcmanfm
Type    : denial of service
Remote  : No
Link    : https://security.archlinux.org/AVG-274

Summary
======
The package pcmanfm before version 1.2.5-2 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 1.2.5-2.

# pacman -Syu "pcmanfm>=1.2.5-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
The socket placed in /tmp by pcmanfm is predictable and public-writable. Therefore if one user placed a symlink to another socket
instead of socket for another user then said another user will either
be unable to use pcmanfm, or may send requests to the first user's
pcmanfm.

Impact
=====
A local attacker might be able to cause a denial of service or trick
the user into sending requests to another pcmanfm instance.

References
=========
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862571
;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08
https://security.archlinux.org/CVE-2017-8934