* New upstream release:
- SECURITY FIX: Restrict a report's CrashDB field to literals.
Use ast.literal_eval() instead of the generic eval(), to prevent
arbitrary code execution from malicious .crash files. A user could be
tricked into opening a crash file whose CrashDB field contains an
exec(), open(), or similar commands; this is fairly easy as we install a
MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
this! (CVE-2016-9949, LP: #1648806)
- SECURITY FIX: Fix path traversal vulnerability with hooks execution.
Ensure that Package: and SourcePackage: fields loaded from reports do
not contain directories. Until now, an attacker could trick a user into
opening a malicious .crash file containing "Package:
../../../../some/dir/foo" which would execute /some/dir/foo.py with
arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9950, LP: #1648806)
- SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
/var/crash crashes.
It only makes sense to offer relaunching for crashes that just happened
and the apport UI got triggered on those. When opening a .crash file
copied from somewhere else or after the crash happened, this is even
actively dangerous as a malicious crash file can specify any arbitrary
command to run. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9951, LP: #1648806)
- backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
to search for a file in Contents.gz fails due to a lack of memory.
Thanks Brian Murray.
- bin/apport-retrace: When --core-file is used instead of loading the core
file and adding it to the apport report just pass the file reference to
gdb.
* debian/control: Adjust Vcs-Bzr: for zesty branch.
-- Martin Pitt <email address hidden> Wed, 14 Dec 2016 21:28:57 +0100
This bug was fixed in the package apport - 2.20.4-0ubuntu1
---------------
apport (2.20.4-0ubuntu1) zesty; urgency=medium
* New upstream release: ./../.. /../some/ dir/foo" which would execute /some/dir/foo.py with CVE-2016- 9950, LP: #1648806) CVE-2016- 9951, LP: #1648806) packaging- apt-dpkg. py: provide a fallback method if using zgrep
- SECURITY FIX: Restrict a report's CrashDB field to literals.
Use ast.literal_eval() instead of the generic eval(), to prevent
arbitrary code execution from malicious .crash files. A user could be
tricked into opening a crash file whose CrashDB field contains an
exec(), open(), or similar commands; this is fairly easy as we install a
MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
this! (CVE-2016-9949, LP: #1648806)
- SECURITY FIX: Fix path traversal vulnerability with hooks execution.
Ensure that Package: and SourcePackage: fields loaded from reports do
not contain directories. Until now, an attacker could trick a user into
opening a malicious .crash file containing "Package:
.
arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
(
- SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
/var/crash crashes.
It only makes sense to offer relaunching for crashes that just happened
and the apport UI got triggered on those. When opening a .crash file
copied from somewhere else or after the crash happened, this is even
actively dangerous as a malicious crash file can specify any arbitrary
command to run. Thanks to Donncha O'Cearbhaill for discovering this!
(
- backends/
to search for a file in Contents.gz fails due to a lack of memory.
Thanks Brian Murray.
- bin/apport-retrace: When --core-file is used instead of loading the core
file and adding it to the apport report just pass the file reference to
gdb.
* debian/control: Adjust Vcs-Bzr: for zesty branch.
-- Martin Pitt <email address hidden> Wed, 14 Dec 2016 21:28:57 +0100