[ubuntu/focal-proposed] apport 2.20.11-0ubuntu10 (Accepted)
Tiago Stürmer Daitx
tiago.daitx at ubuntu.com
Wed Oct 30 17:47:12 UTC 2019
apport (2.20.11-0ubuntu10) focal; urgency=medium
* SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
is a symlink (LP: #1830862)
- apport/fileutils.py: drop permissions before reading user settings file.
- CVE-2019-11481
* SECURITY UPDATE: TOCTTOU race conditions and following symbolic
links when creating a core file (LP: #1839413)
- data/apport: use file descriptor to reference to cwd instead
of strings.
- CVE-2019-11482
* SECURITY UPDATE: fully user controllable lock file due to lock file
being located in world-writable directory (LP: #1839415)
- data/apport: create and use lock file from /var/lock/apport.
- CVE-2019-11485
* SECURITY UPDATE: per-process user controllable Apport socket file
(LP: #1839420)
- data/apport: forward crashes only under a valid uid and gid,
thanks Stéphane Graber for the patch.
- CVE-2019-11483
* SECURITY UPDATE: PID recycling enables an unprivileged user to
generate and read a crash report for a privileged process (LP: #1839795)
- data/apport: drop permissions before adding proc info (special thanks
to Kevin Backhouse for the patch)
- data/apport, apport/report.py, apport/ui.py: only access or open
/proc/[pid] through a file descriptor for that directory.
- CVE-2019-15790
Date: Tue, 29 Oct 2019 05:23:08 +0000
Changed-By: Tiago Stürmer Daitx <tiago.daitx at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu10
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 29 Oct 2019 05:23:08 +0000
Source: apport
Architecture: source
Version: 2.20.11-0ubuntu10
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Tiago Stürmer Daitx <tiago.daitx at ubuntu.com>
Launchpad-Bugs-Fixed: 1830862 1839413 1839415 1839420 1839795
Changes:
apport (2.20.11-0ubuntu10) focal; urgency=medium
.
* SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
is a symlink (LP: #1830862)
- apport/fileutils.py: drop permissions before reading user settings file.
- CVE-2019-11481
* SECURITY UPDATE: TOCTTOU race conditions and following symbolic
links when creating a core file (LP: #1839413)
- data/apport: use file descriptor to reference to cwd instead
of strings.
- CVE-2019-11482
* SECURITY UPDATE: fully user controllable lock file due to lock file
being located in world-writable directory (LP: #1839415)
- data/apport: create and use lock file from /var/lock/apport.
- CVE-2019-11485
* SECURITY UPDATE: per-process user controllable Apport socket file
(LP: #1839420)
- data/apport: forward crashes only under a valid uid and gid,
thanks Stéphane Graber for the patch.
- CVE-2019-11483
* SECURITY UPDATE: PID recycling enables an unprivileged user to
generate and read a crash report for a privileged process (LP: #1839795)
- data/apport: drop permissions before adding proc info (special thanks
to Kevin Backhouse for the patch)
- data/apport, apport/report.py, apport/ui.py: only access or open
/proc/[pid] through a file descriptor for that directory.
- CVE-2019-15790
Checksums-Sha1:
a55706eead44eef421f3a7216e2fa34981143639 2859 apport_2.20.11-0ubuntu10.dsc
8bda8a81514fb1ae1113b2624ff7f7717c6273f3 1387700 apport_2.20.11-0ubuntu10.tar.gz
215b5c6de7cf492feca567fce790c15981997677 8356 apport_2.20.11-0ubuntu10_source.buildinfo
Checksums-Sha256:
de29b066e67165d5a75c9a4f1c5f5f753346f74905670907f76f23cb26fdd023 2859 apport_2.20.11-0ubuntu10.dsc
1c36a000fb469bab3dea7b099c0d29ccd8ad9c838c141856491cb7b183e833ec 1387700 apport_2.20.11-0ubuntu10.tar.gz
5a1b3fb00dc162997dd7608fed11c001fcb9b7b9685f663c73914588259819a1 8356 apport_2.20.11-0ubuntu10_source.buildinfo
Files:
e4e8243994629fdf4a7e9bb72d8d67e4 2859 utils optional apport_2.20.11-0ubuntu10.dsc
6e85a612cedf8541b211c627d46ecc60 1387700 utils optional apport_2.20.11-0ubuntu10.tar.gz
f8aa1dc28866e84af085b5ca291b5120 8356 utils optional apport_2.20.11-0ubuntu10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEE+JEitvb+Hru9UiZmnDJEJjvUHeAFAl25zDEXHHRpYWdvLmRh
aXR4QHVidW50dS5jb20ACgkQnDJEJjvUHeBLSRAAhmHIdRDzy2s2lyry6C753pie
XKXEBi2WesmGFFeXXUV1vvKG7se1Cs1GUBYZ2xfUqk8Dya+dlJ4d9MkWb7tQALqg
tysBTdQ3hVtORWjt3f7pBHMY51oSFABvZijV9kN+gaugmA6EZ/1I7C38O6kGJrg1
9CLlI9ZS/8VKRRFM7cS6WxIlOSWqm50VRKYy+mCYWTdZPePLcSgEbPIlrDnxyPno
UWV1lYVB94dBbpMXSulna7qEwQC7+GejsV/knZLxP2L+I4wFDrWRIaUO6K4zS97+
LmoQ45GoJ5VObIjtbW9E/8yr7QLkFHecSCjI6Y35xmty7Gkkr9TouaPNcHvoe8vk
73J4c8QS+bGHTnFP7cU4Tdm0ThlZ2Wepl1xh09cI5SASKIJyYOTWLysvbuW9KSkO
CSaAkG+NHpx2TH//hhjytoldgikohQSXsQZpDnwzh/5ELfrGyVbd5Y5tZIPX3Bxi
P4xVXm3GN5hpA+B4cvfcpRldoOK3qH7TcrhBbHshl9coHLspD0cIOOUUISqgkH6v
CdDpYQ34r5BGmzcWsl/AP54T+nLCcijvaEyoYHa9YUBQZ9VxXZTmcp3wbp6+ES25
3x7zhAcdJHAtHhlT8iKzTkTjOjY+n9SN6J2HGjv+Jy5SlJIfuwVLdaDkaL75dCUG
dVaIswvR6Z/+OLmhnbU=
=vwHP
-----END PGP SIGNATURE-----
More information about the Focal-changes
mailing list