Ubuntu
sosreport package

CVE-2015-7529 needs to be backported to supported releases

  1. Vivid (15.04)
  2. Bug #1525271
Bug #1525271 reported by Louis Bouchard
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sosreport (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
High
Tyler Hicks
Vivid
Fix Released
High
Tyler Hicks
Wily
Fix Released
High
Tyler Hicks

Bug Description

CVE-2015-7529 - predictable tmp files usage available in Xenial needs to be backported to Wily, Vivid and Trusty

CVE References

Revision history for this message
Louis Bouchard (louis) wrote :

This is the original CVE report : https://access.redhat.com/security/cve/cve-2015-7529

Changed in sosreport (Ubuntu):
status: New → Fix Released
Changed in sosreport (Ubuntu Trusty):
status: New → In Progress
Changed in sosreport (Ubuntu Vivid):
status: New → In Progress
Changed in sosreport (Ubuntu Wily):
status: New → In Progress
Changed in sosreport (Ubuntu):
importance: Undecided → High
Changed in sosreport (Ubuntu Trusty):
importance: Undecided → High
Changed in sosreport (Ubuntu Vivid):
importance: Undecided → High
Changed in sosreport (Ubuntu Wily):
importance: Undecided → High
Changed in sosreport (Ubuntu Trusty):
assignee: nobody → Louis Bouchard (louis-bouchard)
Changed in sosreport (Ubuntu Vivid):
assignee: nobody → Louis Bouchard (louis-bouchard)
Changed in sosreport (Ubuntu Wily):
assignee: nobody → Louis Bouchard (louis-bouchard)
Revision history for this message
Louis Bouchard (louis) wrote :

Here are the fix for all three version, from the uploaded fix in Xenial.

Smoke test done for all three : it will now create a private directory in /tmp to create the archive

Revision history for this message
Louis Bouchard (louis) wrote :

debdiff for trusty

Revision history for this message
Louis Bouchard (louis) wrote :

debdiff for vivid

Revision history for this message
Louis Bouchard (louis) wrote :

debdiff for wily

Revision history for this message
Tyler Hicks (tyhicks) wrote :

sosreport in trusty is also vulnerable to CVE-2014-0246. I'll pull this patch in to fix it:

  https://github.com/sosreport/sos/commit/7b46d346

Changed in sosreport (Ubuntu Trusty):
assignee: Louis Bouchard (louis-bouchard) → Tyler Hicks (tyhicks)
Changed in sosreport (Ubuntu Vivid):
assignee: Louis Bouchard (louis-bouchard) → Tyler Hicks (tyhicks)
Changed in sosreport (Ubuntu Wily):
assignee: Louis Bouchard (louis-bouchard) → Tyler Hicks (tyhicks)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi - I've reviewed, built (with some changes), and tested the debdiffs and now I'm about to publish what I have. The changes that I made are:

 - I didn't feel like the Landscape changes were appropriate for a security update and dropped those patches
   + The SRU process is more appropriate for those changes
   + I considered leaving them in but ultimately decided that I didn't have a way to easily test the changes
 - The versioning needed to be adjusted, the pocket needed to be set to RELEASE-security, and the changelog formatting needed a bit of adjusting, as well
   + See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for details
 - The patch descriptions for CVE-2015-7529 were updated to make it clear that 08121d87 "[sosreport] clean up private temporary directory" had also been applied
 - The 14.04 debdiff was updated to fix CVE-2014-0246
 - The 14.04 debdiff for CVE-2015-7529 was missing a description

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sosreport - 3.2-2ubuntu0.1

---------------
sosreport (3.2-2ubuntu0.1) vivid-security; urgency=medium

  [ Louis Bouchard ]
  * SECURITY UPDATE: Information disclosure and/or directory traversal
    via insecure tmp file handling (LP: #1525271)
    - debian/patches/0003-CVE-2015-7529.patch: Safely create a private
      tmp directory
    - CVE-2015-7529

 -- Tyler Hicks <email address hidden> Thu, 17 Dec 2015 17:20:56 -0600

Changed in sosreport (Ubuntu Vivid):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sosreport - 3.1-1ubuntu2.2

---------------
sosreport (3.1-1ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Information disclosure via insufficient scrubbing of
    passwords in /etc/fstab
   - debian/patches/0010-CVE-2014-0246.patch: Remove passwords when collecting
     the contents of /etc/fstab
   - CVE-2014-0246

  [ Louis Bouchard ]
  * SECURITY UPDATE: Information disclosure and/or directory traversal
    via insecure tmp file handling (LP: #1525271)
    - debian/patches/0011-CVE-2015-7529.patch: Safely create a private
      tmp directory
    - CVE-2015-7529

 -- Tyler Hicks <email address hidden> Thu, 17 Dec 2015 17:27:05 -0600

Changed in sosreport (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sosreport - 3.2-2ubuntu1.1

---------------
sosreport (3.2-2ubuntu1.1) wily-security; urgency=medium

  [ Louis Bouchard ]
  * SECURITY UPDATE: Information disclosure and/or directory traversal
    via insecure tmp file handling (LP: #1525271)
    - debian/patches/0005-CVE-2015-7529.patch: Safely create a private
      tmp directory
    - CVE-2015-7529

 -- Tyler Hicks <email address hidden> Thu, 17 Dec 2015 17:20:51 -0600

Changed in sosreport (Ubuntu Wily):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.