Apport

Bug #1648806
Comment #36

Comment 36 for bug 1648806

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-12-15:

#36

This bug was fixed in the package apport - 2.20.4-0ubuntu1

---------------
apport (2.20.4-0ubuntu1) zesty; urgency=medium

  * New upstream release:
    - SECURITY FIX: Restrict a report's CrashDB field to literals.
      Use ast.literal_eval() instead of the generic eval(), to prevent
      arbitrary code execution from malicious .crash files. A user could be
      tricked into opening a crash file whose CrashDB field contains an
      exec(), open(), or similar commands; this is fairly easy as we install a
      MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
      this! (CVE-2016-9949, LP: #1648806)
    - SECURITY FIX: Fix path traversal vulnerability with hooks execution.
      Ensure that Package: and SourcePackage: fields loaded from reports do
      not contain directories. Until now, an attacker could trick a user into
      opening a malicious .crash file containing "Package:
      ../../../../some/dir/foo" which would execute /some/dir/foo.py with
      arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9950, LP: #1648806)
    - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
      /var/crash crashes.
      It only makes sense to offer relaunching for crashes that just happened
      and the apport UI got triggered on those. When opening a .crash file
      copied from somewhere else or after the crash happened, this is even
      actively dangerous as a malicious crash file can specify any arbitrary
      command to run. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9951, LP: #1648806)
    - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
      to search for a file in Contents.gz fails due to a lack of memory.
      Thanks Brian Murray.
    - bin/apport-retrace: When --core-file is used instead of loading the core
      file and adding it to the apport report just pass the file reference to
      gdb.
  * debian/control: Adjust Vcs-Bzr: for zesty branch.

-- Martin Pitt <email address hidden> Wed, 14 Dec 2016 21:28:57 +0100

This bug was fixed in the package apport - 2.20.4-0ubuntu1

---------------
apport (2.20.4-0ubuntu1) zesty; urgency=medium

* New upstream release:
    - SECURITY FIX: Restrict a report's CrashDB field to literals.
      Use ast.literal_eval() instead of the generic eval(), to prevent
      arbitrary code execution from malicious .crash files. A user could be
      tricked into opening a crash file whose CrashDB field contains an
      exec(), open(), or similar commands; this is fairly easy as we install a
      MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
      this!  (CVE-2016-9949, LP: #1648806)
    - SECURITY FIX: Fix path traversal vulnerability with hooks execution.
      Ensure that Package: and SourcePackage: fields loaded from reports do
      not contain directories. Until now, an attacker could trick a user into
      opening a malicious .crash file containing "Package:
      ../../../../some/dir/foo" which would execute /some/dir/foo.py with
      arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9950, LP: #1648806)
    - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
      /var/crash crashes.
      It only makes sense to offer relaunching for crashes that just happened
      and the apport UI got triggered on those. When opening a .crash file
      copied from somewhere else or after the crash happened, this is even
      actively dangerous as a malicious crash file can specify any arbitrary
      command to run. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9951, LP: #1648806)
    - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
      to search for a file in Contents.gz fails due to a lack of memory.
      Thanks Brian Murray.
    - bin/apport-retrace: When --core-file is used instead of loading the core
      file and adding it to the apport report just pass the file reference to
      gdb.
  * debian/control: Adjust Vcs-Bzr: for zesty branch.

-- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 14 Dec 2016 21:28:57 +0100