Comment 43 for bug 357024

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 0.108.4

apport (0.108.4) hardy-security; urgency=low

  * etc/cron.daily/apport: Only attempt to remove files and symlinks, do not
    descend into subdirectories of /var/crash/. Doing so might be exploited by
    a race condition between find traversing a huge directory tree, changing
    an existing subdir into a symlink to e. g. /etc/, and finally getting that
    piped to rm. Patch based on work from Martin Pitt. Thanks to Stephane
    Chazelas for discovering this!
    - LP: #357024
    - CVE-2009-1295

 -- Jamie Strandboge <email address hidden> Wed, 29 Apr 2009 08:32:35 -0500