[Bug 1004503] Re: Incomplete fix for CVE-2012-0949
Launchpad Bug Tracker
1004503 at bugs.launchpad.net
Wed Jul 25 19:08:57 UTC 2012
** Branch linked: lp:ubuntu-release-upgrader
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1004503
Title:
Incomplete fix for CVE-2012-0949
Status in “update-manager” package in Ubuntu:
Confirmed
Status in “update-manager” source package in Natty:
Fix Released
Status in “update-manager” source package in Oneiric:
Fix Released
Status in “update-manager” source package in Precise:
Fix Released
Status in “update-manager” source package in Quantal:
Confirmed
Bug description:
The following USN fixed CVE-2012-0949:
http://www.ubuntu.com/usn/usn-1443-1/
"Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when reporting
bugs. This could possibly result in repository credentials being included
in public bug reports."
This was originally LP #954483
Unfortunately, the state archive files are still being uploaded. It
seems there is code in DistUpgradeApport.py that attaches the contents
of the /var/log/dist-upgrade directory and manually runs apport.
apport_crash() can be simply modified to exclude the archive files,
but fixing apport_pkgfailure() is more complicated.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1004503/+subscriptions
More information about the foundations-bugs
mailing list