Comment 47 for bug 357024

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 1.1.1-0ubuntu1

apport (1.1.1-0ubuntu1) karmic; urgency=low

  [ Martin Pitt ]
  * New upstream security update:
    - etc/cron.daily/apport: Only attempt to remove files and symlinks, do not
      descend into subdirectories of /var/crash/. Doing so might be exploited by
      a race condition between find traversing a huge directory tree, changing
      an existing subdir into a symlink to e. g. /etc/, and finally getting
      that piped to rm. This also changes the find command to not use GNU
      extensions. Thanks to Stephane Chazelas for discovering this!
      (LP: #357024, CVE-2009-1295)
    - Other fixes were already cherrypicked in the previous upload.

  [ Matt Zimmerman ]
  * package-hooks/ Attach info for linux-restricted-modules
    and linux-backports-modules

 -- Martin Pitt <email address hidden> Thu, 30 Apr 2009 09:08:29 +0200