* New upstream bug fix release:
- SECURITY UPDATE: Fix root privilege escalation through crash forwarding
to containers.
Version 2.13 introduced forwarding a crash to a container's apport. By
crafting a specific file system structure, entering it as a namespace
("container"), and crashing something in it, a local user could access
arbitrary files on the host system with root privileges.
Thanks to Stéphane Graber for discovering and fixing this!
(CVE-2015-1318, LP: #1438758)
- apport-kde tests: Fix imports to make tests work again.
- Fix UnicodeDecodeError on parsing non-ASCII environment variables.
- apport: use the proper pid when calling apport in another PID namespace.
Thanks Brian Murray. (LP: #1300235)
-- Martin Pitt <email address hidden> Tue, 14 Apr 2015 09:10:17 -0500
This bug was fixed in the package apport - 2.17.1-0ubuntu1
---------------
apport (2.17.1-0ubuntu1) vivid; urgency=medium
* New upstream bug fix release: "container" ), and crashing something in it, a local user could access CVE-2015- 1318, LP: #1438758)
- SECURITY UPDATE: Fix root privilege escalation through crash forwarding
to containers.
Version 2.13 introduced forwarding a crash to a container's apport. By
crafting a specific file system structure, entering it as a namespace
(
arbitrary files on the host system with root privileges.
Thanks to Stéphane Graber for discovering and fixing this!
(
- apport-kde tests: Fix imports to make tests work again.
- Fix UnicodeDecodeError on parsing non-ASCII environment variables.
- apport: use the proper pid when calling apport in another PID namespace.
Thanks Brian Murray. (LP: #1300235)
-- Martin Pitt <email address hidden> Tue, 14 Apr 2015 09:10:17 -0500