apport 2.14.1-0ubuntu3.15 source package in Ubuntu
Changelog
apport (2.14.1-0ubuntu3.15) trusty-security; urgency=medium
[ Martin Pitt ]
* SECURITY FIX: kernel_crashdump: Enforce that the log/dmesg files are not a
symlink.
This prevents normal users from pre-creating a symlink to the predictable
.crash file, and thus triggering a "fill up disk" DoS attack when the
.crash report tries to include itself. Also clean up the code to make this
easier to read: Drop the "vmcore_root" alias, move the vmcore and
vmcore.log cleanup into the "no kdump" section, and replace the buggy
os.walk() loop with a glob to only catch direct timestamp subdirectories
of /var/crash/.
Thanks to halfdog for discovering this!
(CVE-2015-1338, part of LP #1492570)
* SECURITY FIX: Fix all writers of report files to open the report file
exclusively.
Fix package_hook, kernel_crashdump, and similar hooks to fail if the
report already exists. This prevents privilege escalation through symlink
attacks. Note that this will also prevent overwriting previous reports
with the same same. Thanks to halfdog for discovering this!
(CVE-2015-1338, LP: #1492570)
[ Marc Deslauriers ]
* This package does _not_ contain the changes from 2.14.1-0ubuntu3.14 in
trusty-proposed.
-- Marc Deslauriers <email address hidden> Wed, 23 Sep 2015 11:28:26 -0400
Upload details
- Uploaded by:
- Marc Deslauriers
- Uploaded to:
- Trusty
- Original maintainer:
- Martin Pitt
- Architectures:
- all
- Section:
- utils
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| apport_2.14.1.orig.tar.gz | 1.2 MiB | 2a9705542c062983471143a43f144c68109656a32428da2fc4579014f6670e65 |
| apport_2.14.1-0ubuntu3.15.diff.gz | 149.7 KiB | ea8f813f6b27c3a5b71723939f66f12990b03cf8e839e52d55b9ea8ced2fbeb4 |
| apport_2.14.1-0ubuntu3.15.dsc | 2.8 KiB | 8e60bc736874b3bb475732f3f5fe9c5a1e15594a5254f5fafdb8e7a883347166 |
Available diffs
Binary packages built by this source
- apport: automatically generate crash reports for debugging
apport automatically collects data from crashed processes and
compiles a problem report in /var/crash/. This utilizes the crashdump
helper hook provided by the Ubuntu kernel.
.
This package also provides a command line frontend for browsing and
handling the crash reports. For desktops, you should consider
installing the GTK+ or Qt user interface (apport-gtk or apport-kde).
- apport-gtk: GTK+ frontend for the apport crash report system
apport automatically collects data from crashed processes and
compiles a problem report in /var/crash/. This utilizes the crashdump
helper hook provided by the Ubuntu kernel.
.
This package provides a GTK+ frontend for browsing and handling the
crash reports.
- apport-kde: KDE frontend for the apport crash report system
apport automatically collects data from crashed processes and
compiles a problem report in /var/crash/. This utilizes the crashdump
helper hook provided by the Ubuntu kernel.
.
This package provides a KDE frontend for browsing and handling the
crash reports.
- apport-noui: tools for automatically reporting Apport crash reports
apport automatically collects data from crashed processes and
compiles a problem report in /var/crash/. This utilizes the crashdump
helper hook provided by the Ubuntu kernel.
.
Installing this package will configure your system to automatically submit
all new Apport crash reports.
- apport-retrace: tools for reprocessing Apport crash reports
apport-retrace recombines an Apport crash report (either a file or a
Launchpad bug) and debug symbol packages (.ddebs) into fully symbolic
stack traces. This can optionally use a sandbox for installing debug symbol
packages and doing the processing, so that entire process of retracing crashes
can happen with normal user privileges without changing the system.
.
You need to install gdb-multiarch if you want to be able to retrace crash
reports which happened on a different architecture than the one you run
apport-retrace on.
- apport-valgrind: valgrind wrapper that first downloads debug symbols
apport-valgrind is a valgrind wrapper that automatically downloads related
available debug symbols and provides them to valgrind's memcheck tool, which
is executed. The output is a valgrind log file ("valgrind.log") that contains
stack traces (with as many symbols resolved as available) and that shows
memory leaks.
- dh-apport: debhelper extension for the apport crash report system
apport automatically collects data from crashed processes and
compiles a problem report in /var/crash/. This utilizes the crashdump
helper hook provided by the Ubuntu kernel.
.
This package provides a debhelper extension to make it easier for other
packages to include apport hooks.
- python-apport: Python library for Apport crash report handling
This Python package provides high-level functions for creating and
handling apport crash reports:
.
* Query available and new reports.
* Add OS, packaging, and process runtime information to a report.
* Various frontend utility functions.
* Python hook to generate crash reports when Python scripts fail.
- python-problem-report: Python library to handle problem reports
This Python library provides an interface for creating, modifying,
and accessing standardized problem reports for program and kernel
crashes and packaging bugs.
.
These problem reports use standard Debian control format syntax
(RFC822).
- python3-apport: Python 3 library for Apport crash report handling
This Python package provides high-level functions for creating and
handling apport crash reports:
.
* Query available and new reports.
* Add OS, packaging, and process runtime information to a report.
* Various frontend utility functions.
* Python hook to generate crash reports when Python scripts fail.
- python3-problem-report: Python 3 library to handle problem reports
This Python library provides an interface for creating, modifying,
and accessing standardized problem reports for program and kernel
crashes and packaging bugs.
.
These problem reports use standard Debian control format syntax
(RFC822).
