New changelog entries:
* SECURITY REGRESSION: 'module' object has no attribute 'O_PATH'
(LP: #1851806)
- apport/report.py, apport/ui.py: use file descriptors for /proc/pid
directory access only when running under python 3; prevent reading /proc
maps under python 2 as it does not provide a secure way to do so; use
io.open for better compatibility between python 2 and 3.
* data/apport: fix number of arguments passed through socks into a container.
* test/test_report.py: test login session with both pid and proc_pid_fd.
New changelog entries:
* apport/report.py, test/test_report.py: handle the fact that gdb now
returns a different error message for truncated core files in some cases.
* bin/oem-getlogs: add in script for getting hardware enablement related
logs. Thanks to Yuan-Chen Cheng for the code. (LP: #1841157)
* apport/hookutils.py: also gather lsusb -v and lsusb -t. Thanks to
Yuan-Chen Cheng for the patch.
* bin/oem-getlogs: Various pep8 / pyflakes fixes.
New changelog entries:
[ Brian Murray ]
* Create additional symlinks to the source_linux.py apport package hook for
many OEM kernels. Thanks to You-Sheng Yang for the patch. (LP: #1847967)
[ Michael Hudson-Doyle ]
* Fix autopkgtest failures since recent security update: (LP: #1854237)
- Fix regression in creating report for crashing setuid process by getting
kernel to tell us the executable path rather than reading
/proc/[pid]/exe.
- Fix deletion of partially written core files.
- Fix test_get_logind_session to use new API.
- Restore add_proc_info raising ValueError for a dead process.
- Delete test_lock_symlink, no longer applicable now that the lock is
created in a directory only root can write to.
New changelog entries:
* SECURITY REGRESSION: missing argument in Report.add_proc_environ
call (LP: #1850929)
- apport/report.py: call add_proc_environ using named arguments
and move proc_pid_dir keyword to last to keep api compatibility.
65e201c...
by
=?utf-8?q?Tiago_St=C3=BCrmer_Daitx?= <email address hidden>
Import patches-unapplied version 2.20.11-0ubuntu10 to ubuntu/focal-proposed
New changelog entries:
* SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
is a symlink (LP: #1830862)
- apport/fileutils.py: drop permissions before reading user settings file.
- CVE-2019-11481
* SECURITY UPDATE: TOCTTOU race conditions and following symbolic
links when creating a core file (LP: #1839413)
- data/apport: use file descriptor to reference to cwd instead
of strings.
- CVE-2019-11482
* SECURITY UPDATE: fully user controllable lock file due to lock file
being located in world-writable directory (LP: #1839415)
- data/apport: create and use lock file from /var/lock/apport.
- CVE-2019-11485
* SECURITY UPDATE: per-process user controllable Apport socket file
(LP: #1839420)
- data/apport: forward crashes only under a valid uid and gid,
thanks Stéphane Graber for the patch.
- CVE-2019-11483
* SECURITY UPDATE: PID recycling enables an unprivileged user to
generate and read a crash report for a privileged process (LP: #1839795)
- data/apport: drop permissions before adding proc info (special thanks
to Kevin Backhouse for the patch)
- data/apport, apport/report.py, apport/ui.py: only access or open
/proc/[pid] through a file descriptor for that directory.
- CVE-2019-15790
New changelog entries:
* Removed general hook which would gather information about click packages.
* data/package-hooks/source_ubiquity: pass on a KeyError when adding
installation logs.
* etc/apport/crashdb.conf: Disable Launchpad crash reports for 19.04
release.