[ubuntu/focal-proposed] apport 2.20.11-0ubuntu10 (Accepted)

Tiago Stürmer Daitx tiago.daitx at ubuntu.com
Wed Oct 30 17:47:12 UTC 2019 

apport (2.20.11-0ubuntu10) focal; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

Date: Tue, 29 Oct 2019 05:23:08 +0000
Changed-By: Tiago Stürmer Daitx <tiago.daitx at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu10
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Oct 2019 05:23:08 +0000
Source: apport
Architecture: source
Version: 2.20.11-0ubuntu10
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Tiago Stürmer Daitx <tiago.daitx at ubuntu.com>
Launchpad-Bugs-Fixed: 1830862 1839413 1839415 1839420 1839795
Changes:
 apport (2.20.11-0ubuntu10) focal; urgency=medium
 .
   * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
     is a symlink (LP: #1830862)
     - apport/fileutils.py: drop permissions before reading user settings file.
     - CVE-2019-11481
   * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
     links when creating a core file (LP: #1839413)
     - data/apport: use file descriptor to reference to cwd instead
       of strings.
     - CVE-2019-11482
   * SECURITY UPDATE: fully user controllable lock file due to lock file
     being located in world-writable directory (LP: #1839415)
     - data/apport: create and use lock file from /var/lock/apport.
     - CVE-2019-11485
   * SECURITY UPDATE: per-process user controllable Apport socket file
     (LP: #1839420)
     - data/apport: forward crashes only under a valid uid and gid,
       thanks Stéphane Graber for the patch.
     - CVE-2019-11483
   * SECURITY UPDATE: PID recycling enables an unprivileged user to
     generate and read a crash report for a privileged process (LP: #1839795)
     - data/apport: drop permissions before adding proc info (special thanks
       to Kevin Backhouse for the patch)
     - data/apport, apport/report.py, apport/ui.py: only access or open
       /proc/[pid] through a file descriptor for that directory.
     - CVE-2019-15790
Checksums-Sha1:
 a55706eead44eef421f3a7216e2fa34981143639 2859 apport_2.20.11-0ubuntu10.dsc
 8bda8a81514fb1ae1113b2624ff7f7717c6273f3 1387700 apport_2.20.11-0ubuntu10.tar.gz
 215b5c6de7cf492feca567fce790c15981997677 8356 apport_2.20.11-0ubuntu10_source.buildinfo
Checksums-Sha256:
 de29b066e67165d5a75c9a4f1c5f5f753346f74905670907f76f23cb26fdd023 2859 apport_2.20.11-0ubuntu10.dsc
 1c36a000fb469bab3dea7b099c0d29ccd8ad9c838c141856491cb7b183e833ec 1387700 apport_2.20.11-0ubuntu10.tar.gz
 5a1b3fb00dc162997dd7608fed11c001fcb9b7b9685f663c73914588259819a1 8356 apport_2.20.11-0ubuntu10_source.buildinfo
Files:
 e4e8243994629fdf4a7e9bb72d8d67e4 2859 utils optional apport_2.20.11-0ubuntu10.dsc
 6e85a612cedf8541b211c627d46ecc60 1387700 utils optional apport_2.20.11-0ubuntu10.tar.gz
 f8aa1dc28866e84af085b5ca291b5120 8356 utils optional apport_2.20.11-0ubuntu10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE+JEitvb+Hru9UiZmnDJEJjvUHeAFAl25zDEXHHRpYWdvLmRh
aXR4QHVidW50dS5jb20ACgkQnDJEJjvUHeBLSRAAhmHIdRDzy2s2lyry6C753pie
XKXEBi2WesmGFFeXXUV1vvKG7se1Cs1GUBYZ2xfUqk8Dya+dlJ4d9MkWb7tQALqg
tysBTdQ3hVtORWjt3f7pBHMY51oSFABvZijV9kN+gaugmA6EZ/1I7C38O6kGJrg1
9CLlI9ZS/8VKRRFM7cS6WxIlOSWqm50VRKYy+mCYWTdZPePLcSgEbPIlrDnxyPno
UWV1lYVB94dBbpMXSulna7qEwQC7+GejsV/knZLxP2L+I4wFDrWRIaUO6K4zS97+
LmoQ45GoJ5VObIjtbW9E/8yr7QLkFHecSCjI6Y35xmty7Gkkr9TouaPNcHvoe8vk
73J4c8QS+bGHTnFP7cU4Tdm0ThlZ2Wepl1xh09cI5SASKIJyYOTWLysvbuW9KSkO
CSaAkG+NHpx2TH//hhjytoldgikohQSXsQZpDnwzh/5ELfrGyVbd5Y5tZIPX3Bxi
P4xVXm3GN5hpA+B4cvfcpRldoOK3qH7TcrhBbHshl9coHLspD0cIOOUUISqgkH6v
CdDpYQ34r5BGmzcWsl/AP54T+nLCcijvaEyoYHa9YUBQZ9VxXZTmcp3wbp6+ES25
3x7zhAcdJHAtHhlT8iKzTkTjOjY+n9SN6J2HGjv+Jy5SlJIfuwVLdaDkaL75dCUG
dVaIswvR6Z/+OLmhnbU=
=vwHP
-----END PGP SIGNATURE-----

More information about the Focal-changes mailing list