[Bug 1004503] Re: Incomplete fix for CVE-2012-0949
Marc Deslauriers
marc.deslauriers at canonical.com
Mon Jun 4 13:14:43 UTC 2012
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1004503
Title:
Incomplete fix for CVE-2012-0949
Status in “update-manager” package in Ubuntu:
Confirmed
Status in “update-manager” source package in Natty:
Confirmed
Status in “update-manager” source package in Oneiric:
Confirmed
Status in “update-manager” source package in Precise:
Confirmed
Status in “update-manager” source package in Quantal:
Confirmed
Bug description:
The following USN fixed CVE-2012-0949:
http://www.ubuntu.com/usn/usn-1443-1/
"Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when reporting
bugs. This could possibly result in repository credentials being included
in public bug reports."
This was originally LP #954483
Unfortunately, the state archive files are still being uploaded. It
seems there is code in DistUpgradeApport.py that attaches the contents
of the /var/log/dist-upgrade directory and manually runs apport.
apport_crash() can be simply modified to exclude the archive files,
but fixing apport_pkgfailure() is more complicated.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1004503/+subscriptions
More information about the foundations-bugs
mailing list