Changelog
whoopsie-daisy (0.1.8) precise; urgency=low
* Security fixes. Thanks Jamie Strandboge for the review.
- Check the return value of the open call in get_system_uuid.
- Properly initialize libcrypt.
- Check that the call to gcry_md_open succeeds
- Ensure that reading the SHA512 message digest succeeds.
- Protect against changes to the message digest length creating a
security vulnerability.
- Check the returncode of setenv.
- Use /var/lock/whoopsie instead of /tmp/.whoopsie-lock.
- umask is usually called before fork.
- Future-proof by using getrlimit instead of explicitly closing STD*
- Redirect stdin, stdout, and stderr to /dev/null.
- Ensure strings created in update_to_crash_file are NULL-terminated.
- Only process regular files in /var/crash.
- Replace calls to *alloc with g_*alloc, which calls abort() on
failure.
- Remove unused system_uuid pointer.
- Fix warnings in make check.
- Initialize all of curl.
- Redirect stderr to null in chgrp and chmod calls.
- Set home directory to /nonexistent.
- Enable libcrypt secure memory.
- Put the lock file in /var/lock/whoopsie/.
- Sanity check the CRASH_DB_URL environment variable.
- Added tests:
- Check handling of embedded NUL bytes.
- Verify that symlinks in /var/crash produce the correct error
message.
- Verify that keys without values in reports produce an error message.
- Ensure that the report does not start with a value.
- Correctly identify a report without spaces as malformed.
- Verify that directories in /var/crash produce the correct error
message.
- Ensure that blank lines in a report are treated as errors.
- Ensure that carriage returns are escaped.
- Do not start multi-line values with a newline.
- Check that a valid report has the exact expected contents.
- Ensure that other variants of embedded carriage returns are escaped.
- Verify that reports without a trailing newline are handled properly.
* Change crash database URL to http://daisy.ubuntu.com.
* Main inclusion request approved (LP: #913694).
-- Evan Dandrea <email address hidden> Thu, 16 Feb 2012 16:37:35 +0000