Ubuntu
reportbug package

arbitrary code execution in compare_versions

Bug #1353046 reported by Marc Deslauriers
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
reportbug (Ubuntu)
Fix Released
High
Scott Kitterman
Lucid
Won't Fix
Undecided
Unassigned
Precise
Fix Released
High
Marc Deslauriers
Trusty
Fix Released
High
Scott Kitterman
Utopic
Fix Released
High
Scott Kitterman

Bug Description

From DSA 2997-1:

Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.

Marc Deslauriers (mdeslaur)
Changed in reportbug (Ubuntu Lucid):
status: New → Confirmed
Changed in reportbug (Ubuntu Precise):
status: New → Confirmed
Changed in reportbug (Ubuntu Trusty):
status: New → Confirmed
Changed in reportbug (Ubuntu Utopic):
status: New → Confirmed
Changed in reportbug (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Scott Kitterman (kitterman) wrote :

I decided it would be better to version/use debian/changelog from Debian in Trusty as well for consistency of the versioning with Debian. Since there are no other changes, it seemed the most sane way to go about it.

Changed in reportbug (Ubuntu Utopic):
assignee: nobody → Scott Kitterman (kitterman)
Changed in reportbug (Ubuntu Trusty):
assignee: nobody → Scott Kitterman (kitterman)
Changed in reportbug (Ubuntu Utopic):
importance: Undecided → High
Changed in reportbug (Ubuntu Trusty):
importance: Undecided → High
Changed in reportbug (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Scott Kitterman (kitterman) wrote :

Uploaded for Utopic.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package reportbug - 6.3.1ubuntu1.1

---------------
reportbug (6.3.1ubuntu1.1) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution in compare_versions
    (LP: #1353046)
    - reportbug/checkversions.py: don't use os.system to compare versions.
    - reportbug/__init__.py: update version number.
    - CVE-2014-0479
 -- Marc Deslauriers <email address hidden> Tue, 05 Aug 2014 14:52:52 -0400

Changed in reportbug (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package reportbug - 6.5.0+nmu1ubuntu0.1

---------------
reportbug (6.5.0+nmu1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE:
  * References
  * CVE-2014-0479
  * LP: #1353046
  * Merge from Debian unstable. Remaining changes:
    - bin/reportbug: If bts=ubuntu or unconfigured, exit with an
      an error and refer user "ubuntu-bug" instead.
    - reportbug/__init__.py: Match reportbug version with package version.
    - debian/control: Add prominent note to package description.
    - debian/rules, debian/dirs: Do not install .desktop file.
 -- Scott Kitterman <email address hidden> Tue, 05 Aug 2014 14:49:52 -0400

Changed in reportbug (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package reportbug - 6.5.0+nmu1ubuntu2

---------------
reportbug (6.5.0+nmu1ubuntu2) utopic; urgency=medium

  * Use 6.5.0 as version to match release regex that excludes +nmu.

reportbug (6.5.0+nmu1ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes (LP: #1353046):
    - bin/reportbug: If bts=ubuntu or unconfigured, exit with an
      an error and refer user "ubuntu-bug" instead.
    - reportbug/__init__.py: Match reportbug version with package version.
    - debian/control: Add prominent note to package description.
    - debian/rules, debian/dirs: Do not install .desktop file.

reportbug (6.5.0+nmu1) unstable; urgency=high

  * Non-maintainer upload.
  * CVE-2014-0479: Arbitrary code execution in compare_versions.
    A man-in-the-middle attacker could put shell metacharacters in the
    version number, causing execution of code of their choice.
    Thanks to Jakub Wilk <email address hidden>
 -- Scott Kitterman <email address hidden> Tue, 05 Aug 2014 15:19:08 -0400

Changed in reportbug (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in reportbug (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.