lp:~ubuntu-core-dev/ubuntu/vivid/apport/ubuntu

Created by Brian Murray on 2014-10-31 and last modified on 2015-10-27
Get this branch:
bzr branch lp:~ubuntu-core-dev/ubuntu/vivid/apport/ubuntu
Members of Ubuntu Core Development Team can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu Core Development Team
Status:
Development

Recent revisions

2436. By Martin Pitt on 2015-10-27

releasing package apport version 2.17.2-0ubuntu1.7

2435. By Martin Pitt on 2015-10-27

SECURITY FIX: When determining the path of a Python module for a program
like "python -m module_name", avoid actually importing and running the
module; this could lead to local root privilege escalation. Thanks to
Gabriel Campana for discovering this and the fix!
(CVE-2015-1341, LP: #1507480)

2434. By Martin Pitt on 2015-10-27

test_backend_apt_dpkg.py: Reset internal apt caches between tests. Avoids
random test failures due to leaking paths from previous test cases.

2433. By Martin Pitt on 2015-10-27

releasing package apport version 2.17.2-0ubuntu1.6

2432. By Martin Pitt on 2015-10-27

Consistently intercept "report file already exists" errors in all writers of
report files (package_hook, kernel_crashdump, and similar) to avoid
unhandled exceptions on those. (LP: #1500450)

2431. By Martin Pitt on 2015-09-21

releasing package apport version 2.17.2-0ubuntu1.5

2430. By Martin Pitt on 2015-09-21

SECURITY FIX: Fix all writers of report files to open the report file
exclusively.
Fix package_hook, kernel_crashdump, and similar hooks to fail if the
report already exists. This prevents privilege escalation through symlink
attacks. Note that this will also prevent overwriting previous reports
with the same same. Thanks to halfdog for discovering this!
(CVE-2015-1338, LP: #1492570)

2429. By Martin Pitt on 2015-09-21

SECURITY FIX: kernel_crashdump: Enforce that the log/dmesg files are not a
symlink.
This prevents normal users from pre-creating a symlink to the predictable
.crash file, and thus triggering a "fill up disk" DoS attack when the
.crash report tries to include itself. Also clean up the code to make this
easier to read: Drop the "vmcore_root" alias, move the vmcore and
vmcore.log cleanup into the "no kdump" section, and replace the buggy
os.walk() loop with a glob to only catch direct timestamp subdirectories
of /var/crash/.
Thanks to halfdog for discovering this!
(CVE-2015-1338, part of LP #1492570)

2428. By Brian Murray on 2015-08-26

Fix the pocket for 2.17.2-0ubuntu1.4

2427. By Brian Murray on 2015-08-26

resolve test failures

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/vivid/apport
This branch contains Public information 
Everyone can see this information.