Format: 1.8 Date: Wed, 14 Dec 2016 21:28:57 +0100 Source: apport Binary: apport python-problem-report python3-problem-report python-apport python3-apport apport-retrace apport-valgrind apport-gtk apport-kde dh-apport apport-noui Architecture: all amd64_translations Version: 2.20.4-0ubuntu1 Distribution: zesty-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Martin Pitt Description: apport - automatically generate crash reports for debugging apport-gtk - GTK+ frontend for the apport crash report system apport-kde - KDE frontend for the apport crash report system apport-noui - tools for automatically reporting Apport crash reports apport-retrace - tools for reprocessing Apport crash reports apport-valgrind - valgrind wrapper that first downloads debug symbols dh-apport - debhelper extension for the apport crash report system python-apport - Python library for Apport crash report handling python-problem-report - Python library to handle problem reports python3-apport - Python 3 library for Apport crash report handling python3-problem-report - Python 3 library to handle problem reports Launchpad-Bugs-Fixed: 1648806 Changes: apport (2.20.4-0ubuntu1) zesty; urgency=medium . * New upstream release: - SECURITY FIX: Restrict a report's CrashDB field to literals. Use ast.literal_eval() instead of the generic eval(), to prevent arbitrary code execution from malicious .crash files. A user could be tricked into opening a crash file whose CrashDB field contains an exec(), open(), or similar commands; this is fairly easy as we install a MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9949, LP: #1648806) - SECURITY FIX: Fix path traversal vulnerability with hooks execution. Ensure that Package: and SourcePackage: fields loaded from reports do not contain directories. Until now, an attacker could trick a user into opening a malicious .crash file containing "Package: ../../../../some/dir/foo" which would execute /some/dir/foo.py with arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9950, LP: #1648806) - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent /var/crash crashes. It only makes sense to offer relaunching for crashes that just happened and the apport UI got triggered on those. When opening a .crash file copied from somewhere else or after the crash happened, this is even actively dangerous as a malicious crash file can specify any arbitrary command to run. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9951, LP: #1648806) - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep to search for a file in Contents.gz fails due to a lack of memory. Thanks Brian Murray. - bin/apport-retrace: When --core-file is used instead of loading the core file and adding it to the apport report just pass the file reference to gdb. * debian/control: Adjust Vcs-Bzr: for zesty branch. Checksums-Sha1: 48a9eeb4435225d38cfcd6ba493e86ce14cd95ae 9504 apport-gtk_2.20.4-0ubuntu1_all.deb 709f27309db9cc5d7297d08f713b4b880cc5706a 17762 apport-kde_2.20.4-0ubuntu1_all.deb b10fdde6c3b44c1bf7991db6567d9083b79b7843 2844 apport-noui_2.20.4-0ubuntu1_all.deb 396500be26efa27148142c090f13c39a537c7d1a 12324 apport-retrace_2.20.4-0ubuntu1_all.deb f4f0da054261d7a4d8ff51b78fbcfbfce32d875f 5084 apport-valgrind_2.20.4-0ubuntu1_all.deb 8851896100096c7e227c35739371033b47be3338 120808 apport_2.20.4-0ubuntu1_all.deb 5ac6525dfe32e13e2959e207073d676a8a31166c 1211757 apport_2.20.4-0ubuntu1_amd64_translations.tar.gz ef50b036efaf610ff94b6264cb3951a55e5dedf5 7488 dh-apport_2.20.4-0ubuntu1_all.deb 8be9e164d22e58725a6c818765b32f9241105218 79394 python-apport_2.20.4-0ubuntu1_all.deb 792717c57eda2858465bc3429df9d5c7b8120a36 10424 python-problem-report_2.20.4-0ubuntu1_all.deb 5395f05f089d05189f7fcd8f21b2e6246542c2ed 79504 python3-apport_2.20.4-0ubuntu1_all.deb 81f48bdffa47045bc56681fb634fd740c94ef5d9 10502 python3-problem-report_2.20.4-0ubuntu1_all.deb Checksums-Sha256: 5a5b731f3b1f067c6a2b8f381a347c6aea947108ba49302a96c35b0ca4253531 9504 apport-gtk_2.20.4-0ubuntu1_all.deb e82ccc01782169fcdadb32f4f3042d5f75b718761ee667a7ff0618c99dfc0cab 17762 apport-kde_2.20.4-0ubuntu1_all.deb ff1c33af940cbb43024034ca201d9a66ddd54364a71ae90d4a868c43eff1b7b7 2844 apport-noui_2.20.4-0ubuntu1_all.deb 0b467f9a03c13203f47a29ed3745cf1c02e12e399efbf255ae98452e30dcc1e1 12324 apport-retrace_2.20.4-0ubuntu1_all.deb d27e103ae503b50c4fb60cbbb529ceebf559feb773a42efa5f72431a3664819c 5084 apport-valgrind_2.20.4-0ubuntu1_all.deb 9deb799d21347f4f6d356deac5219463cb833b97dcf39b6f440b9b47606298b1 120808 apport_2.20.4-0ubuntu1_all.deb 1cddbcf3a2d40f005945367b2069538387fc5ed7ebb480995b2e4ca948cec43a 1211757 apport_2.20.4-0ubuntu1_amd64_translations.tar.gz b3fdd14b99ad7dfe7a12da2ec597846a662e7246949a5f67ed7420fa51fe7723 7488 dh-apport_2.20.4-0ubuntu1_all.deb 53ec84c715b84a62a8f04e956cc51f48a2359b47f6de1a72054c9ed130cda024 79394 python-apport_2.20.4-0ubuntu1_all.deb 2f2d6ab46200f1414555b1c6009d4ae12beea65674ca5ca19dce93b9e3bbba35 10424 python-problem-report_2.20.4-0ubuntu1_all.deb eacba522aa05757b2d71b0c11f3160cf308e86af7dc1ac79a73ed9023756e31b 79504 python3-apport_2.20.4-0ubuntu1_all.deb 86b8ec58207306db87ebf332a712374c2b900feece2acc71939681c448b45c0a 10502 python3-problem-report_2.20.4-0ubuntu1_all.deb Files: cff56b3ec70bd4b1eac0f7cb9e525e6e 9504 gnome optional apport-gtk_2.20.4-0ubuntu1_all.deb caea7accbb0ab2cecf8ee322fb539c50 17762 kde optional apport-kde_2.20.4-0ubuntu1_all.deb fa615148d3e8d04a4f603795bbbaa74e 2844 utils optional apport-noui_2.20.4-0ubuntu1_all.deb 5dcef85706f453372d7e6dbdab50f778 12324 devel optional apport-retrace_2.20.4-0ubuntu1_all.deb f50dd277e510c03dc8ccb24968a2a2cc 5084 devel optional apport-valgrind_2.20.4-0ubuntu1_all.deb b83ba1702729e04e501f712dddb09d0a 120808 utils optional apport_2.20.4-0ubuntu1_all.deb f09e3fed73413de239ef735d8faf3d4b 1211757 raw-translations - apport_2.20.4-0ubuntu1_amd64_translations.tar.gz 183428ea4325be0d90523739481a5a48 7488 devel optional dh-apport_2.20.4-0ubuntu1_all.deb 7f3c6928f0dcb466bf8405f73f39a179 79394 python optional python-apport_2.20.4-0ubuntu1_all.deb edfc500efe9c77b60bbcdff7d07f0d3a 10424 python optional python-problem-report_2.20.4-0ubuntu1_all.deb 90a734cefd82de4b2b7e4753a903bc20 79504 python optional python3-apport_2.20.4-0ubuntu1_all.deb 1e3b0ba1df66dda880c2d4dbe25d0b27 10502 python optional python3-problem-report_2.20.4-0ubuntu1_all.deb