diff -Nru aptdaemon-1.1.1+bzr982/debian/changelog aptdaemon-1.1.1+bzr982/debian/changelog --- aptdaemon-1.1.1+bzr982/debian/changelog 2020-01-15 19:37:27.000000000 +0000 +++ aptdaemon-1.1.1+bzr982/debian/changelog 2020-09-23 11:27:57.000000000 +0000 @@ -1,3 +1,18 @@ +aptdaemon (1.1.1+bzr982-0ubuntu19.4) bionic-security; urgency=medium + + * SECURITY UPDATE: information disclosure via locale (LP: #1888235) + - debian/patches/CVE-2020-15703.patch: reject locales with full paths + in aptdaemon/core.py. + - CVE-2020-15703 + + -- Marc Deslauriers Wed, 23 Sep 2020 07:27:57 -0400 + +aptdaemon (1.1.1+bzr982-0ubuntu19.3) bionic; urgency=medium + + * Update crash handler to use the changed apport function. (LP: #1700810) + + -- Brian Murray Tue, 12 May 2020 11:04:58 -0700 + aptdaemon (1.1.1+bzr982-0ubuntu19.2) bionic-security; urgency=medium * Fix compatibility with python-apt security update (LP: #1858973) diff -Nru aptdaemon-1.1.1+bzr982/debian/patches/apport-report.patch aptdaemon-1.1.1+bzr982/debian/patches/apport-report.patch --- aptdaemon-1.1.1+bzr982/debian/patches/apport-report.patch 1970-01-01 00:00:00.000000000 +0000 +++ aptdaemon-1.1.1+bzr982/debian/patches/apport-report.patch 2020-05-12 18:04:53.000000000 +0000 @@ -0,0 +1,24 @@ +Description: write apport reports the right way +Author: Brian Murray +Origin: vendor +Bug-Ubuntu: http://launchpad.net/bugs/1700810 +Forwarded: not-needed +Last-Update: 2020-05-11 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: aptdaemon-1.1.1+bzr982/aptdaemon/crash.py +=================================================================== +--- aptdaemon-1.1.1+bzr982.orig/aptdaemon/crash.py ++++ aptdaemon-1.1.1+bzr982/aptdaemon/crash.py +@@ -69,9 +69,8 @@ def create_report(error, traceback, tran + uid = os.path.basename(trans.tid) + + # Write report +- report_path = apport.fileutils.make_report_path(report, uid) +- if not os.path.exists(report_path): +- report.write(open(report_path, 'wb')) ++ with apport.fileutils.make_report_file(report, uid) as f: ++ report.write(f) + + if __name__ == "__main__": + apt_pkg.init_config() diff -Nru aptdaemon-1.1.1+bzr982/debian/patches/CVE-2020-15703.patch aptdaemon-1.1.1+bzr982/debian/patches/CVE-2020-15703.patch --- aptdaemon-1.1.1+bzr982/debian/patches/CVE-2020-15703.patch 1970-01-01 00:00:00.000000000 +0000 +++ aptdaemon-1.1.1+bzr982/debian/patches/CVE-2020-15703.patch 2020-09-23 11:27:51.000000000 +0000 @@ -0,0 +1,16 @@ +Description: Reject locales with full path + _parse_localename() treats "/tmp/a." as a locale with language "/tmp/a" and + empty region, so add an extra safety check. +Author: Julian Andres Klode +Bug: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235 +--- a/aptdaemon/core.py ++++ b/aptdaemon/core.py +@@ -817,6 +817,8 @@ class Transaction(DBusObject): + """ + if self.status != enums.STATUS_SETTING_UP: + raise errors.TransactionAlreadyRunning() ++ if "/" in str(locale_str): ++ raise ValueError("Security exception: Absolute path for locale") + try: + # ensure locale string is str() and not dbus.String() + (lang, encoding) = locale._parse_localename(str(locale_str)) diff -Nru aptdaemon-1.1.1+bzr982/debian/patches/series aptdaemon-1.1.1+bzr982/debian/patches/series --- aptdaemon-1.1.1+bzr982/debian/patches/series 2020-01-15 19:37:21.000000000 +0000 +++ aptdaemon-1.1.1+bzr982/debian/patches/series 2020-09-23 11:27:48.000000000 +0000 @@ -18,3 +18,5 @@ failing-tests.patch frontend-locking.patch allow-unauthenticated.patch +apport-report.patch +CVE-2020-15703.patch