apport 2.17.2-0ubuntu1.5 source package in Ubuntu
Changelog
apport (2.17.2-0ubuntu1.5) vivid-security; urgency=medium
* SECURITY FIX: kernel_crashdump: Enforce that the log/dmesg files are not a
symlink.
This prevents normal users from pre-creating a symlink to the predictable
.crash file, and thus triggering a "fill up disk" DoS attack when the
.crash report tries to include itself. Also clean up the code to make this
easier to read: Drop the "vmcore_root" alias, move the vmcore and
vmcore.log cleanup into the "no kdump" section, and replace the buggy
os.walk() loop with a glob to only catch direct timestamp subdirectories
of /var/crash/.
Thanks to halfdog for discovering this!
(CVE-2015-1338, part of LP #1492570)
* SECURITY FIX: Fix all writers of report files to open the report file
exclusively.
Fix package_hook, kernel_crashdump, and similar hooks to fail if the
report already exists. This prevents privilege escalation through symlink
attacks. Note that this will also prevent overwriting previous reports
with the same same. Thanks to halfdog for discovering this!
(CVE-2015-1338, LP: #1492570)
-- Martin Pitt <email address hidden> Mon, 21 Sep 2015 10:22:50 +0200
Upload details
- Uploaded by:
- Martin Pitt
- Sponsored by:
- Marc Deslauriers
- Uploaded to:
- Vivid
- Original maintainer:
- Martin Pitt
- Architectures:
- all
- Section:
- utils
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| apport_2.17.2.orig.tar.gz | 1.2 MiB | ccf58f686f5b313efa73b8a6c09cbf749a1a1cf168ea6c373235a6b7e9023852 |
| apport_2.17.2-0ubuntu1.5.diff.gz | 151.0 KiB | 59c4d8070183deaf4420675a7b747a34234fc878a922bc6b264482dd3522e4ad |
| apport_2.17.2-0ubuntu1.5.dsc | 2.8 KiB | e9c1804770a08f181b8b72534ba2064e68a61218ab24a7ace0b81d1114f3be68 |
Available diffs
Binary packages built by this source
- apport: No summary available for apport in ubuntu vivid.
No description available for apport in ubuntu vivid.
- apport-gtk: No summary available for apport-gtk in ubuntu vivid.
No description available for apport-gtk in ubuntu vivid.
- apport-kde: No summary available for apport-kde in ubuntu vivid.
No description available for apport-kde in ubuntu vivid.
- apport-noui: No summary available for apport-noui in ubuntu vivid.
No description available for apport-noui in ubuntu vivid.
- apport-retrace: No summary available for apport-retrace in ubuntu vivid.
No description available for apport-retrace in ubuntu vivid.
- apport-valgrind: No summary available for apport-valgrind in ubuntu vivid.
No description available for apport-valgrind in ubuntu vivid.
- dh-apport: No summary available for dh-apport in ubuntu vivid.
No description available for dh-apport in ubuntu vivid.
- python-apport: No summary available for python-apport in ubuntu vivid.
No description available for python-apport in ubuntu vivid.
- python-problem-report: No summary available for python-problem-report in ubuntu vivid.
No description available for python-
problem- report in ubuntu vivid.
- python3-apport: No summary available for python3-apport in ubuntu vivid.
No description available for python3-apport in ubuntu vivid.
- python3-problem-report: No summary available for python3-problem-report in ubuntu vivid.
No description available for python3-
problem- report in ubuntu vivid.
