Ubuntu AppArmor policy is too lenient with shell scripts

Bug #1045986 reported by Jamie Strandboge on 2012-09-04
300
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Jamie Strandboge
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Jamie Strandboge
Precise
Undecided
Jamie Strandboge
Quantal
Undecided
Jamie Strandboge
apport (Ubuntu)
Undecided
Jamie Strandboge
Lucid
Undecided
Jamie Strandboge
Natty
Undecided
Jamie Strandboge
Oneiric
Undecided
Jamie Strandboge
Precise
Undecided
Jamie Strandboge
Quantal
Undecided
Jamie Strandboge
chromium-browser (Ubuntu)
Undecided
Chad Miller
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
cups (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
dhcp3 (Ubuntu)
Undecided
Unassigned
Lucid
High
Jamie Strandboge
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
isc-dhcp (Ubuntu)
High
Jamie Strandboge
Lucid
Undecided
Unassigned
Natty
High
Jamie Strandboge
Oneiric
High
Jamie Strandboge
Precise
High
Jamie Strandboge
Quantal
High
Jamie Strandboge

Bug Description

Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu:
http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html

This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work.

Jamie Strandboge (jdstrand) wrote :

For apport, either the '/usr/bin/apport-bug Cx -> sanitized_helper,' rule needs to be removed or we explicitly set PATH in /usr/bin/apport-bug.

summary: - Ubuntu AppArmor policy is sometimes too lenient
+ Ubuntu AppArmor policy is too lenient with shell scripts
Changed in apport (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

For isc-dhcp and dhcp3 we should adjust /sbin/dhclient-script to explicitly set the PATH. It is possible to confine it, but with everything that can be put in /etc/dhcp/dhclient-*-hooks.d, this is regression prone.

Changed in isc-dhcp (Ubuntu):
importance: Undecided → High
status: New → Triaged
Changed in dhcp3 (Ubuntu):
importance: Undecided → High
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

For apparmor, the chromium-browser profile in the apparmor-profiles package will need to be adjusted to either confine xdg-settings or adjust it to explicitly set PATH.

Changed in apparmor (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

For chromium-browser, we probably want to disable '-d'. An alternative would be to conditionally disable it only when the process is confined. This is brittle and likely want provide the protection we want.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

For firefox, we probably want to disable '-d'. An alternative would be to conditionally disable it only when the process is confined. This is brittle and likely want provide the protection we want. We will want to explicitly set the PATH in its scripts.

Changed in firefox (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Also for chromium-browser, we will want to explicitly set the PATH in its scripts.

description: updated
Jamie Strandboge (jdstrand) wrote :

CUPS is very difficult. We can certainly adjust the filters that are available in Ubuntu to explicitly set the PATH, but since 3rd party filters can be installed, this gets more and more challenging. Like bug #851986, this may not be reasonably solvable for CUPS until we have proper environment filtering support in AppArmor.

Changed in cups (Ubuntu):
status: New → Confirmed
description: updated
visibility: private → public
description: updated
Changed in isc-dhcp (Ubuntu Natty):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Oneiric):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Precise):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu Lucid):
status: New → Invalid
Changed in dhcp3 (Ubuntu Natty):
status: New → Invalid
Changed in dhcp3 (Ubuntu Oneiric):
status: New → Invalid
Changed in dhcp3 (Ubuntu Precise):
status: New → Invalid
Changed in dhcp3 (Ubuntu Quantal):
status: Triaged → Invalid
Changed in dhcp3 (Ubuntu Lucid):
importance: Undecided → High
status: New → Triaged
Changed in dhcp3 (Ubuntu Quantal):
importance: High → Undecided
Changed in apport (Ubuntu Lucid):
status: New → Triaged
Changed in apport (Ubuntu Natty):
status: New → Triaged
Changed in apport (Ubuntu Oneiric):
status: New → Triaged
Changed in apport (Ubuntu Precise):
status: New → Triaged
Changed in apparmor (Ubuntu Lucid):
status: New → Invalid
Changed in apparmor (Ubuntu Natty):
status: New → Triaged
Changed in apparmor (Ubuntu Oneiric):
status: New → Triaged
Changed in apparmor (Ubuntu Precise):
status: New → Triaged
Changed in chromium-browser (Ubuntu Lucid):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Natty):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Oneiric):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Precise):
status: New → Confirmed
Changed in firefox (Ubuntu Lucid):
status: New → Confirmed
Changed in firefox (Ubuntu Natty):
status: New → Confirmed
Changed in firefox (Ubuntu Oneiric):
status: New → Confirmed
Changed in firefox (Ubuntu Precise):
status: New → Confirmed
Changed in cups (Ubuntu Lucid):
status: New → Confirmed
Changed in cups (Ubuntu Natty):
status: New → Confirmed
Changed in cups (Ubuntu Oneiric):
status: New → Confirmed
Changed in cups (Ubuntu Precise):
status: New → Confirmed
Changed in isc-dhcp (Ubuntu Quantal):
status: Triaged → In Progress
Till Kamppeter (till-kamppeter) wrote :

pitti, any idea how to improve the situation with CUPS?

Jamie Strandboge (jdstrand) wrote :

An updated apport is in quantal-proposed.

Changed in apparmor (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Triaged
Changed in apport (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

isc-dhcp uploaded to quantal-proposed.

Changed in isc-dhcp (Ubuntu Quantal):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

I need to respin isc-dhcp on quantal since 4.2.4-1ubuntu6 was already there.

Jamie Strandboge (jdstrand) wrote :

Ok, both apport and isc-dhcp needed to be respun. Both are uploaded and sitting in unapproved.

Martin Pitt (pitti) wrote :

Thanks Jamie; do you have a pointer to the apport patch, or can attach it here? I'd like to apply it to trunk as well (or make it suitable for that).

Jamie Strandboge (jdstrand) wrote :

isc-dhcp and dhcp3 have been uploaded to the security PPA.

Changed in isc-dhcp (Ubuntu Natty):
status: Triaged → Fix Committed
importance: Undecided → High
Changed in isc-dhcp (Ubuntu Oneiric):
status: Triaged → Fix Committed
importance: Undecided → High
Changed in isc-dhcp (Ubuntu Precise):
status: Triaged → Fix Committed
importance: Undecided → High
Changed in dhcp3 (Ubuntu Lucid):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

While the ubuntu-integration abstraction doesn't exist in 10.04 LTS, the firefox profile has a Ux rule for apport-bug.

Changed in apport (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Changed in apport (Ubuntu Natty):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apport (Ubuntu Oneiric):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apport (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apport (Ubuntu Quantal):
status: Fix Committed → In Progress
Jamie Strandboge (jdstrand) wrote :

apport has been uploaded to the security PPA.

Changed in apport (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in apport (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apport (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apport (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apport (Ubuntu Precise):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.5.1-0ubuntu7

---------------
apport (2.5.1-0ubuntu7) quantal-proposed; urgency=low

  * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in
    /etc/login.defs and unset ENV and CDPATH. We need do this so that confined
    applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the
    environment to escape AppArmor confinement via this script (LP: #1045986).
    This can be removed once AppArmor supports environment filtering
    (LP: 1045985)

apport (2.5.1-0ubuntu6) quantal; urgency=low

  * data/general/ubuntu.py: handle the case where a log file is compressed
    when reviewing package installation failures (LP: #917903)

apport (2.5.1-0ubuntu5) quantal; urgency=low

  * Use Python string rather than QString, LP: #1028984
 -- Jamie Strandboge <email address hidden> Wed, 05 Sep 2012 08:38:23 -0500

Changed in apport (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu7

---------------
isc-dhcp (4.2.4-1ubuntu7) quantal-proposed; urgency=low

  * debian/dhclient-script.linux: Explicitly set the PATH to that of
    ENV_SUPATH in /etc/login.defs and unset various other variables. We need
    to do this so /sbin/dhclient cannot abuse the environment to escape
    AppArmor confinement via this script. This can be removed once AppArmor
    supports environment filtering (LP: 1045985). Don't worry about
    debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd*
    since AppArmor isn't used in these environments.
    - LP: #1045986

isc-dhcp (4.2.4-1ubuntu6) quantal-proposed; urgency=low

  * SECURITY UPDATE: denial of service via unexpected client identifiers
    - debian/patches/CVE-2012-3570.patch: validate MAC length in
      includes/dhcpd.h, server/dhcpv6.c.
    - CVE-2012-3570
  * SECURITY UPDATE: denial of service via malformed client identifiers
    - debian/patches/CVE-2012-3571.patch: validate packets in
      common/options.c, includes/dhcpd.h.
    - CVE-2012-3571
  * SECURITY UPDATE: denial of service via memory leaks
    - debian/patches/CVE-2012-3954.patch: properly manage memory in
      common/options.c and server/dhcpv6.c.
    - CVE-2012-3954
 -- Jamie Strandboge <email address hidden> Wed, 05 Sep 2012 08:59:49 -0500

Changed in isc-dhcp (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu3

---------------
apparmor (2.8.0-0ubuntu3) quantal; urgency=low

  * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been
    dropped in 2.8.0-0ubuntu1 since they are included upstream
  * debian/patches/0001-add-chromium-browser.patch:
    - add a couple of small accesses
    - add a child profile for xdgsettings (LP: #1045986)
 -- Jamie Strandboge <email address hidden> Mon, 17 Sep 2012 08:26:46 -0500

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-17ubuntu10.5

---------------
isc-dhcp (4.1.1-P1-17ubuntu10.5) oneiric-security; urgency=low

  [ Jamie Strandboge ]
  * debian/dhclient-script.linux: Explicitly set the PATH to that of
    ENV_SUPATH in /etc/login.defs and unset various other variables. We need
    to do this so /sbin/dhclient cannot abuse the environment to escape
    AppArmor confinement via this script. Don't worry about
    debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd*
    since AppArmor isn't used in these environments.
    - LP: #1045986

  [ Marc Deslauriers ]
  * SECURITY UPDATE: denial of service via ipv6 lease expiration time
    reduction
    - debian/patches/CVE-2012-3955.patch: properly handle time reduction in
      server/dhcpv6.c, server/mdb6.c.
    - CVE-2012-3955
 -- Marc Deslauriers <email address hidden> Fri, 14 Sep 2012 13:02:05 -0400

Changed in isc-dhcp (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.5

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.5) precise-security; urgency=low

  [ Jamie Strandboge ]
  * debian/dhclient-script.linux: Explicitly set the PATH to that of
    ENV_SUPATH in /etc/login.defs and unset various other variables. We need
    to do this so /sbin/dhclient cannot abuse the environment to escape
    AppArmor confinement via this script. Don't worry about
    debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd*
    since AppArmor isn't used in these environments.
    - LP: #1045986

  [ Marc Deslauriers ]
  * SECURITY UPDATE: denial of service via ipv6 lease expiration time
    reduction
    - debian/patches/CVE-2012-3955.patch: properly handle time reduction in
      server/dhcpv6.c, server/mdb6.c.
    - CVE-2012-3955
 -- Marc Deslauriers <email address hidden> Fri, 14 Sep 2012 12:58:33 -0400

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-15ubuntu9.6

---------------
isc-dhcp (4.1.1-P1-15ubuntu9.6) natty-security; urgency=low

  [ Jamie Strandboge ]
  * debian/dhclient-script.linux: Explicitly set the PATH to that of
    ENV_SUPATH in /etc/login.defs and unset various other variables. We need
    to do this so /sbin/dhclient cannot abuse the environment to escape
    AppArmor confinement via this script. Don't worry about
    debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd*
    since AppArmor isn't used in these environments.
    - LP: #1045986

  [ Marc Deslauriers ]
  * SECURITY UPDATE: denial of service via ipv6 lease expiration time
    reduction
    - debian/patches/CVE-2012-3955.patch: properly handle time reduction in
      server/dhcpv6.c, server/mdb6.c.
    - CVE-2012-3955
 -- Marc Deslauriers <email address hidden> Fri, 14 Sep 2012 13:04:46 -0400

Changed in isc-dhcp (Ubuntu Natty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dhcp3 - 3.1.3-2ubuntu3.4

---------------
dhcp3 (3.1.3-2ubuntu3.4) lucid-security; urgency=low

  * debian/dhclient-script.linux: Explicitly set the PATH to that of
    ENV_SUPATH in /etc/login.defs and unset various other variables. We need
    to do this so /sbin/dhclient cannot abuse the environment to escape
    AppArmor confinement via this script. Don't worry about
    debian/dhclient-script.udeb or debian/dhclient-script.kfreebsd since
    AppArmor isn't used in these environments.
    - LP: #1045986
  * debian/patches/adjust-configure-for-linux3.dpatch: default to linux-2.2
    for 3.0+ kernels
 -- Jamie Strandboge <email address hidden> Wed, 05 Sep 2012 10:58:55 -0500

Changed in dhcp3 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in cups (Ubuntu Lucid):
assignee: nobody → Rev. Wm. DOC Holliday (r37u2a49ci)
Changed in cups (Ubuntu Lucid):
assignee: Rev. Wm. DOC Holliday (r37u2a49ci) → nobody
Changed in apparmor (Ubuntu Natty):
status: Triaged → Won't Fix
Changed in apport (Ubuntu Natty):
status: Fix Committed → Won't Fix
Changed in chromium-browser (Ubuntu Natty):
status: Confirmed → Won't Fix
Changed in cups (Ubuntu Natty):
status: Confirmed → Won't Fix
Changed in firefox (Ubuntu Natty):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 1.23-0ubuntu4.1

---------------
apport (1.23-0ubuntu4.1) oneiric-security; urgency=low

  * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in
    /etc/login.defs and unset ENV and CDPATH. We need do this so that confined
    applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the
    environment to escape AppArmor confinement via this script (LP: #1045986).
 -- Jamie Strandboge <email address hidden> Wed, 05 Sep 2012 13:41:45 -0500

Changed in apport (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.0.1-0ubuntu15.1

---------------
apport (2.0.1-0ubuntu15.1) precise-security; urgency=low

  * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in
    /etc/login.defs and unset ENV and CDPATH. We need do this so that confined
    applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the
    environment to escape AppArmor confinement via this script (LP: #1045986).
 -- Jamie Strandboge <email address hidden> Mon, 17 Dec 2012 13:33:42 -0600

Changed in apport (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 1.13.3-0ubuntu2.2

---------------
apport (1.13.3-0ubuntu2.2) lucid-security; urgency=low

  * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in
    /etc/login.defs and unset ENV and CDPATH. We need do this so that confined
    applications which use apport-bug cannot abuse the environment to escape
    AppArmor confinement via this script (LP: #1045986).
 -- Jamie Strandboge <email address hidden> Wed, 05 Sep 2012 13:43:36 -0500

Changed in apport (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → Fix Committed
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.7

---------------
apparmor (2.7.102-0ubuntu3.7) precise-security; urgency=low

  * debian/patches/0001-add-chromium-browser.patch:
    - add access for newer versions of chromium (LP: #1091862)
    - add a child profile for xdgsettings (LP: #1045986)
  * debian/patches/0021-fix-racy-onexec-test.patch: fix race in onexec.sh
    kernel regression test
 -- Jamie Strandboge <email address hidden> Wed, 19 Dec 2012 07:51:38 -0600

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.0~beta1+bzr1774-1ubuntu2.2

---------------
apparmor (2.7.0~beta1+bzr1774-1ubuntu2.2) oneiric-security; urgency=low

  * debian/patches/0001-add-chromium-browser.patch:
    - add various accesses for newer chromium versions (LP: #1091862)
    - add a child profile for xdgsettings (LP: #1045986)
  * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags
 -- Jamie Strandboge <email address hidden> Tue, 18 Dec 2012 11:53:38 -0600

Changed in apparmor (Ubuntu Oneiric):
status: Fix Committed → Fix Released

Hello Jamie, or anyone else affected,

Accepted apport into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

The update for this bug was included in an update to precise-security. I tested that 2.0.1-0ubuntu17.1 contains the fix for this bug and that 2.0.1-0ubuntu17.1 passes QRT. Marking 'verification-done'.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

jay waker (jay74) on 2013-02-20
information type: Public Security → Private
information type: Private → Public Security
Changed in apparmor (Ubuntu Lucid):
status: Invalid → Incomplete
Changed in apparmor (Ubuntu Lucid):
status: Incomplete → Invalid
Chad Miller (cmiller) on 2013-04-24
Changed in chromium-browser (Ubuntu):
assignee: nobody → Chad Miller (cmiller)
status: Confirmed → Fix Committed
Adolfo Jayme (fitojb) wrote :

(Untargetting old EOLd releases)

no longer affects: chromium-browser (Ubuntu Lucid)
no longer affects: chromium-browser (Ubuntu Natty)
no longer affects: chromium-browser (Ubuntu Oneiric)
no longer affects: cups (Ubuntu Lucid)
no longer affects: cups (Ubuntu Natty)
no longer affects: cups (Ubuntu Oneiric)
no longer affects: firefox (Ubuntu Lucid)
no longer affects: firefox (Ubuntu Natty)
no longer affects: firefox (Ubuntu Oneiric)
Launchpad Janitor (janitor) wrote :
Download full text (8.3 KiB)

This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.12.10.2

---------------
chromium-browser (28.0.1500.52-0ubuntu1.12.10.2) quantal-security; urgency=low

  [Chad MILLER]
  * New stable release 28.0.1500.52
  * New stable release 28.0.1500.45
  * New stable release 27.0.1453.110:
    - CVE-2013-2855: Memory corruption in dev tools API.
    - CVE-2013-2856: Use-after-free in input handling.
    - CVE-2013-2857: Use-after-free in image handling.
    - CVE-2013-2858: Use-after-free in HTML5 Audio.
    - CVE-2013-2859: Cross-origin namespace pollution.
    - CVE-2013-2860: Use-after-free with workers accessing database APIs.
    - CVE-2013-2861: Use-after-free with SVG.
    - CVE-2013-2862: Memory corruption in Skia GPU handling.
    - CVE-2013-2863: Memory corruption in SSL socket handling.
    - CVE-2013-2864: Bad free in PDF viewer.
  * New stable release 27.0.1453.93:
    - CVE-2013-2837: Use-after-free in SVG.
    - CVE-2013-2838: Out-of-bounds read in v8.
    - CVE-2013-2839: Bad cast in clipboard handling.
    - CVE-2013-2840: Use-after-free in media loader.
    - CVE-2013-2841: Use-after-free in Pepper resource handling.
    - CVE-2013-2842: Use-after-free in widget handling.
    - CVE-2013-2843: Use-after-free in speech handling.
    - CVE-2013-2844: Use-after-free in style resolution.
    - CVE-2013-2845: Memory safety issues in Web Audio.
    - CVE-2013-2846: Use-after-free in media loader.
    - CVE-2013-2847: Use-after-free race condition with workers.
    - CVE-2013-2848: Possible data extraction with XSS Auditor.
    - CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
  * Drop unneeded patches,
      safe-browsing-sigbus.patch
      dont-assume-cross-compile-on-arm.patch
      struct-siginfo.patch
      ld-memory-32bit.patch
      dlopen_sonamed_gl.patch
  * Temporarily disable webapps patches.
  * Update arm-neon patch, format-flag patch, search-credit patch,
    title-bar-system-default patch.
  * Make get-orig-source nicer. Package tarball contents from upstream
    correctly.
  * Reenable dyn-linking of major components of chromium for 32-bit machines.
    Fix a libdir path bug in debian/chromium-browser.sh.in .
  * No longer try to use system libraries. Generally, Security Team would
    hate bundled libraries because they provide a wide liability, but
    Chromium Project is pretty good about maintaining their bundled-source
    libraries. We can not pull cr-required lib versions forward in older
    Ubuntus, and we can't guarantee all the distro versions of libraries work
    with chromium-browser. The default security policy might be worse. Bundled
    libraries is less work overall.
  * Exclude included XDG files even if they are built.
  * Use NEON instructions on ARM, optionally. This might use run-time checks
    for hardware capability, but even if it doesn't we can add it later.
  * Clean up difference checks in debian/rules that make sure that all files
    that the build makes are used in packages, and no longer hide any, and no
    longer consider it an error if some are unused. Treat it as a warning,
    not a fatality.
  * Use legible shell instead of make-generated shell in set...

Read more...

Changed in chromium-browser (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (8.3 KiB)

This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.12.04.2

---------------
chromium-browser (28.0.1500.52-0ubuntu1.12.04.2) precise-security; urgency=low

  [Chad MILLER]
  * New stable release 28.0.1500.52
  * New stable release 28.0.1500.45
  * New stable release 27.0.1453.110:
    - CVE-2013-2855: Memory corruption in dev tools API.
    - CVE-2013-2856: Use-after-free in input handling.
    - CVE-2013-2857: Use-after-free in image handling.
    - CVE-2013-2858: Use-after-free in HTML5 Audio.
    - CVE-2013-2859: Cross-origin namespace pollution.
    - CVE-2013-2860: Use-after-free with workers accessing database APIs.
    - CVE-2013-2861: Use-after-free with SVG.
    - CVE-2013-2862: Memory corruption in Skia GPU handling.
    - CVE-2013-2863: Memory corruption in SSL socket handling.
    - CVE-2013-2864: Bad free in PDF viewer.
  * New stable release 27.0.1453.93:
    - CVE-2013-2837: Use-after-free in SVG.
    - CVE-2013-2838: Out-of-bounds read in v8.
    - CVE-2013-2839: Bad cast in clipboard handling.
    - CVE-2013-2840: Use-after-free in media loader.
    - CVE-2013-2841: Use-after-free in Pepper resource handling.
    - CVE-2013-2842: Use-after-free in widget handling.
    - CVE-2013-2843: Use-after-free in speech handling.
    - CVE-2013-2844: Use-after-free in style resolution.
    - CVE-2013-2845: Memory safety issues in Web Audio.
    - CVE-2013-2846: Use-after-free in media loader.
    - CVE-2013-2847: Use-after-free race condition with workers.
    - CVE-2013-2848: Possible data extraction with XSS Auditor.
    - CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
  * Drop unneeded patches,
      safe-browsing-sigbus.patch
      dont-assume-cross-compile-on-arm.patch
      struct-siginfo.patch
      ld-memory-32bit.patch
      dlopen_sonamed_gl.patch
  * Update arm-neon patch, format-flag patch, search-credit patch,
    title-bar-system-default patch.
  * Make get-orig-source nicer. Package tarball contents from upstream
    correctly.
  * Reenable dyn-linking of major components of chromium for 32-bit machines.
    Fix a libdir path bug in debian/chromium-browser.sh.in .
  * No longer try to use system libraries. Generally, Security Team would
    hate bundled libraries because they provide a wide liability, but
    Chromium Project is pretty good about maintaining their bundled-source
    libraries. We can not pull cr-required lib versions forward in older
    Ubuntus, and we can't guarantee all the distro versions of libraries work
    with chromium-browser. The default security policy might be worse. Bundled
    libraries is less work overall.
  * Exclude included XDG files even if they are built.
  * Use NEON instructions on ARM, optionally. This might use run-time checks
    for hardware capability, but even if it doesn't we can add it later.
  * Clean up difference checks in debian/rules that make sure that all files
    that the build makes are used in packages, and no longer hide any, and no
    longer consider it an error if some are unused. Treat it as a warning,
    not a fatality.
  * Use legible shell instead of make-generated shell in setting the rpath
    in rules.
  * Add new ...

Read more...

Changed in chromium-browser (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (8.3 KiB)

This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.13.04.2

---------------
chromium-browser (28.0.1500.52-0ubuntu1.13.04.2) raring-security; urgency=low

  [Chad MILLER]
  * New stable release 28.0.1500.52
  * New stable release 28.0.1500.45
  * New stable release 27.0.1453.110:
    - CVE-2013-2855: Memory corruption in dev tools API.
    - CVE-2013-2856: Use-after-free in input handling.
    - CVE-2013-2857: Use-after-free in image handling.
    - CVE-2013-2858: Use-after-free in HTML5 Audio.
    - CVE-2013-2859: Cross-origin namespace pollution.
    - CVE-2013-2860: Use-after-free with workers accessing database APIs.
    - CVE-2013-2861: Use-after-free with SVG.
    - CVE-2013-2862: Memory corruption in Skia GPU handling.
    - CVE-2013-2863: Memory corruption in SSL socket handling.
    - CVE-2013-2864: Bad free in PDF viewer.
  * New stable release 27.0.1453.93:
    - CVE-2013-2837: Use-after-free in SVG.
    - CVE-2013-2838: Out-of-bounds read in v8.
    - CVE-2013-2839: Bad cast in clipboard handling.
    - CVE-2013-2840: Use-after-free in media loader.
    - CVE-2013-2841: Use-after-free in Pepper resource handling.
    - CVE-2013-2842: Use-after-free in widget handling.
    - CVE-2013-2843: Use-after-free in speech handling.
    - CVE-2013-2844: Use-after-free in style resolution.
    - CVE-2013-2845: Memory safety issues in Web Audio.
    - CVE-2013-2846: Use-after-free in media loader.
    - CVE-2013-2847: Use-after-free race condition with workers.
    - CVE-2013-2848: Possible data extraction with XSS Auditor.
    - CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
  * Drop unneeded patches,
      safe-browsing-sigbus.patch
      dont-assume-cross-compile-on-arm.patch
      struct-siginfo.patch
      ld-memory-32bit.patch
      dlopen_sonamed_gl.patch
  * Temporarily disable webapps patches.
  * Update arm-neon patch, format-flag patch, search-credit patch,
    title-bar-system-default patch.
  * Make get-orig-source nicer. Package tarball contents from upstream
    correctly.
  * Reenable dyn-linking of major components of chromium for 32-bit machines.
    Fix a libdir path bug in debian/chromium-browser.sh.in .
  * No longer try to use system libraries. Generally, Security Team would
    hate bundled libraries because they provide a wide liability, but
    Chromium Project is pretty good about maintaining their bundled-source
    libraries. We can not pull cr-required lib versions forward in older
    Ubuntus, and we can't guarantee all the distro versions of libraries work
    with chromium-browser. The default security policy might be worse. Bundled
    libraries is less work overall.
  * Exclude included XDG files even if they are built.
  * Use NEON instructions on ARM, optionally. This might use run-time checks
    for hardware capability, but even if it doesn't we can add it later.
  * Clean up difference checks in debian/rules that make sure that all files
    that the build makes are used in packages, and no longer hide any, and no
    longer consider it an error if some are unused. Treat it as a warning,
    not a fatality.
  * Use legible shell instead of make-generated shell in sett...

Read more...

Changed in chromium-browser (Ubuntu):
status: Fix Committed → Fix Released
Changed in cups (Ubuntu Quantal):
status: Confirmed → Won't Fix
Changed in firefox (Ubuntu Quantal):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers