[ubuntu/zesty-proposed] apport 2.20.4-0ubuntu1 (Accepted)

Martin Pitt martin.pitt at ubuntu.com
Wed Dec 14 22:03:12 UTC 2016 

apport (2.20.4-0ubuntu1) zesty; urgency=medium

  * New upstream release:
    - SECURITY FIX: Restrict a report's CrashDB field to literals.
      Use ast.literal_eval() instead of the generic eval(), to prevent
      arbitrary code execution from malicious .crash files. A user could be
      tricked into opening a crash file whose CrashDB field contains an
      exec(), open(), or similar commands; this is fairly easy as we install a
      MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
      this!  (CVE-2016-9949, LP: #1648806)
    - SECURITY FIX: Fix path traversal vulnerability with hooks execution.
      Ensure that Package: and SourcePackage: fields loaded from reports do
      not contain directories. Until now, an attacker could trick a user into
      opening a malicious .crash file containing "Package:
      ../../../../some/dir/foo" which would execute /some/dir/foo.py with
      arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9950, LP: #1648806)
    - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
      /var/crash crashes.
      It only makes sense to offer relaunching for crashes that just happened
      and the apport UI got triggered on those. When opening a .crash file
      copied from somewhere else or after the crash happened, this is even
      actively dangerous as a malicious crash file can specify any arbitrary
      command to run. Thanks to Donncha O'Cearbhaill for discovering this!
      (CVE-2016-9951, LP: #1648806)
    - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
      to search for a file in Contents.gz fails due to a lack of memory.
      Thanks Brian Murray.
    - bin/apport-retrace: When --core-file is used instead of loading the core
      file and adding it to the apport report just pass the file reference to
      gdb.
  * debian/control: Adjust Vcs-Bzr: for zesty branch.

Date: Wed, 14 Dec 2016 21:28:57 +0100
Changed-By: Martin Pitt <martin.pitt at ubuntu.com>
https://launchpad.net/ubuntu/+source/apport/2.20.4-0ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 Dec 2016 21:28:57 +0100
Source: apport
Binary: apport python-problem-report python3-problem-report python-apport python3-apport apport-retrace apport-valgrind apport-gtk apport-kde dh-apport apport-noui
Architecture: source
Version: 2.20.4-0ubuntu1
Distribution: zesty
Urgency: medium
Maintainer: Martin Pitt <martin.pitt at ubuntu.com>
Changed-By: Martin Pitt <martin.pitt at ubuntu.com>
Description:
 apport     - automatically generate crash reports for debugging
 apport-gtk - GTK+ frontend for the apport crash report system
 apport-kde - KDE frontend for the apport crash report system
 apport-noui - tools for automatically reporting Apport crash reports
 apport-retrace - tools for reprocessing Apport crash reports
 apport-valgrind - valgrind wrapper that first downloads debug symbols
 dh-apport  - debhelper extension for the apport crash report system
 python-apport - Python library for Apport crash report handling
 python-problem-report - Python library to handle problem reports
 python3-apport - Python 3 library for Apport crash report handling
 python3-problem-report - Python 3 library to handle problem reports
Launchpad-Bugs-Fixed: 1648806
Changes:
 apport (2.20.4-0ubuntu1) zesty; urgency=medium
 .
   * New upstream release:
     - SECURITY FIX: Restrict a report's CrashDB field to literals.
       Use ast.literal_eval() instead of the generic eval(), to prevent
       arbitrary code execution from malicious .crash files. A user could be
       tricked into opening a crash file whose CrashDB field contains an
       exec(), open(), or similar commands; this is fairly easy as we install a
       MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
       this!  (CVE-2016-9949, LP: #1648806)
     - SECURITY FIX: Fix path traversal vulnerability with hooks execution.
       Ensure that Package: and SourcePackage: fields loaded from reports do
       not contain directories. Until now, an attacker could trick a user into
       opening a malicious .crash file containing "Package:
       ../../../../some/dir/foo" which would execute /some/dir/foo.py with
       arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
       (CVE-2016-9950, LP: #1648806)
     - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
       /var/crash crashes.
       It only makes sense to offer relaunching for crashes that just happened
       and the apport UI got triggered on those. When opening a .crash file
       copied from somewhere else or after the crash happened, this is even
       actively dangerous as a malicious crash file can specify any arbitrary
       command to run. Thanks to Donncha O'Cearbhaill for discovering this!
       (CVE-2016-9951, LP: #1648806)
     - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
       to search for a file in Contents.gz fails due to a lack of memory.
       Thanks Brian Murray.
     - bin/apport-retrace: When --core-file is used instead of loading the core
       file and adding it to the apport report just pass the file reference to
       gdb.
   * debian/control: Adjust Vcs-Bzr: for zesty branch.
Checksums-Sha1:
 95582603827c8773e41e1b5c7746542a66a640d9 3070 apport_2.20.4-0ubuntu1.dsc
 fbf9fefa75c27a87246916c3abe95906428f4914 1193836 apport_2.20.4.orig.tar.gz
 a8590bf1fe3acbeeabf782c47604a72e7df492b0 153238 apport_2.20.4-0ubuntu1.diff.gz
Checksums-Sha256:
 386b055c7c3163e2bb596ba273ae716d12e1f86ce0b0f3f083472c74400ea1f9 3070 apport_2.20.4-0ubuntu1.dsc
 4836252a61184fbc6ee526032bb5334db216efcf4ac3069ff1a9ab4fa130b985 1193836 apport_2.20.4.orig.tar.gz
 1f1d1cda22203dc0fdcf812ed559aad4a4919619b9985a109865fe2e5f08ae53 153238 apport_2.20.4-0ubuntu1.diff.gz
Files:
 6e495c0ac23787d84b812834eba5084b 3070 utils optional apport_2.20.4-0ubuntu1.dsc
 90dcb528b7175e9e2cc73ecb712cfd1d 1193836 utils optional apport_2.20.4.orig.tar.gz
 c0594e8251df534fb151ce245c26fb18 153238 utils optional apport_2.20.4-0ubuntu1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYUauYAAoJENFO8V2v4RNH7AAP/0KDaeBi7zVd8/WtxxLSToRy
nn5jUJ+N8oW1VoPd4+ZmsrhAe7OVktLd5UTTwlWhKxM7oFp++UnDBmiSzxmNqGZC
G7NCK+E9qCTEqJzv5TD+zPttUWARdgSt85q03kCl8rTFUsaJsOS6dp9+C5tpL5k6
bfBinFL7oLulQqd9FXd/e/7AzIYDGOlKfLlEM+iTLAZg3k271t+c8+f6yjRL8GCw
GtFrtMGeT4ky/IMo+bdFSAFbeiRosGQJwUPpjfQfQAWDzojoyWWrYpTeQyz3aZzG
Mxbw30V7k1+9AOn0jQNYP8OK58w2Zz5liVkts85e32B6qIjPdyUp+NEkGa+mmXAg
DQ1teqeBCaIM5frRHTGF9nu4Am5YPpJQ7nJD6mLrw5T1Zj/kK2+KQbg7IekT8Cm4
nw9OuFe6cM+DC5IHnFK95fqp78BUwgU9qthfMwPK+Eqth03fNutRAHVBfiaWS9lt
iDRkvk7naf+oaCJgmJoCnxrstpj72jT0RKa7V2E9XIJwM4ab0xcoTe/0l0gU9xDe
pF1v8AJBDmwPOdmWQRKQA9HoeQ2tQVEnBZjGlzUL4wiJBqEzaMfobZZIpXCCiFO3
xKnlZlbdzFYBVjpxoxTK9q/HnZyjAsvvTKofOwgBX7t09dg82BH5ZH7ll/8dmm+F
20eL7NIqjjeeh8PHD2vX
=ydyb
-----END PGP SIGNATURE-----

More information about the Zesty-changes mailing list