apport 2.20.4-0ubuntu1 source package in Ubuntu
Changelog
apport (2.20.4-0ubuntu1) zesty; urgency=medium
* New upstream release:
- SECURITY FIX: Restrict a report's CrashDB field to literals.
Use ast.literal_eval() instead of the generic eval(), to prevent
arbitrary code execution from malicious .crash files. A user could be
tricked into opening a crash file whose CrashDB field contains an
exec(), open(), or similar commands; this is fairly easy as we install a
MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
this! (CVE-2016-9949, LP: #1648806)
- SECURITY FIX: Fix path traversal vulnerability with hooks execution.
Ensure that Package: and SourcePackage: fields loaded from reports do
not contain directories. Until now, an attacker could trick a user into
opening a malicious .crash file containing "Package:
../../../../some/dir/foo" which would execute /some/dir/foo.py with
arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9950, LP: #1648806)
- SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
/var/crash crashes.
It only makes sense to offer relaunching for crashes that just happened
and the apport UI got triggered on those. When opening a .crash file
copied from somewhere else or after the crash happened, this is even
actively dangerous as a malicious crash file can specify any arbitrary
command to run. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9951, LP: #1648806)
- backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
to search for a file in Contents.gz fails due to a lack of memory.
Thanks Brian Murray.
- bin/apport-retrace: When --core-file is used instead of loading the core
file and adding it to the apport report just pass the file reference to
gdb.
* debian/control: Adjust Vcs-Bzr: for zesty branch.
-- Martin Pitt <email address hidden> Wed, 14 Dec 2016 21:28:57 +0100
Upload details
- Uploaded by:
- Martin Pitt
- Uploaded to:
- Zesty
- Original maintainer:
- Martin Pitt
- Architectures:
- all
- Section:
- utils
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| apport_2.20.4.orig.tar.gz | 1.1 MiB | 4836252a61184fbc6ee526032bb5334db216efcf4ac3069ff1a9ab4fa130b985 |
| apport_2.20.4-0ubuntu1.diff.gz | 149.6 KiB | 1f1d1cda22203dc0fdcf812ed559aad4a4919619b9985a109865fe2e5f08ae53 |
| apport_2.20.4-0ubuntu1.dsc | 3.0 KiB | 386b055c7c3163e2bb596ba273ae716d12e1f86ce0b0f3f083472c74400ea1f9 |
Available diffs
- diff from 2.20.3-0ubuntu8 to 2.20.4-0ubuntu1 (166.8 KiB)
Binary packages built by this source
- apport: No summary available for apport in ubuntu zesty.
No description available for apport in ubuntu zesty.
- apport-gtk: No summary available for apport-gtk in ubuntu zesty.
No description available for apport-gtk in ubuntu zesty.
- apport-kde: No summary available for apport-kde in ubuntu zesty.
No description available for apport-kde in ubuntu zesty.
- apport-noui: No summary available for apport-noui in ubuntu zesty.
No description available for apport-noui in ubuntu zesty.
- apport-retrace: No summary available for apport-retrace in ubuntu zesty.
No description available for apport-retrace in ubuntu zesty.
- apport-valgrind: No summary available for apport-valgrind in ubuntu zesty.
No description available for apport-valgrind in ubuntu zesty.
- dh-apport: No summary available for dh-apport in ubuntu zesty.
No description available for dh-apport in ubuntu zesty.
- python-apport: No summary available for python-apport in ubuntu zesty.
No description available for python-apport in ubuntu zesty.
- python-problem-report: No summary available for python-problem-report in ubuntu zesty.
No description available for python-
problem- report in ubuntu zesty.
- python3-apport: No summary available for python3-apport in ubuntu zesty.
No description available for python3-apport in ubuntu zesty.
- python3-problem-report: No summary available for python3-problem-report in ubuntu zesty.
No description available for python3-
problem- report in ubuntu zesty.
