UbuntuUpdates.org

Package "apport"

Name: apport

Description:

automatically generate crash reports for debugging

Latest version: 2.20.11-0ubuntu8.8
Release: eoan (19.10)
Level: security
Repository: main
Homepage: https://wiki.ubuntu.com/Apport

Links

Save this URL for the latest version of "apport": https://www.ubuntuupdates.org/apport


Download "apport"


Other versions of "apport" in Eoan

Repository Area Version
base universe 2.20.11-0ubuntu8
base main 2.20.11-0ubuntu8
security universe 2.20.11-0ubuntu8.8
updates universe 2.20.11-0ubuntu8.9
updates main 2.20.11-0ubuntu8.9
proposed universe 2.20.11-0ubuntu8.9
proposed main 2.20.11-0ubuntu8.9

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.20.11-0ubuntu8.8 2020-04-02 03:06:31 UTC

  apport (2.20.11-0ubuntu8.8) eoan-security; urgency=medium

  * SECURITY UPDATE: World writable root owned lock file created in user
    controllable location (LP: #1862348)
    - data/apport: Change location of lock file to be directly under
      /var/run so that regular users can not directly access it or perform
      symlink attacks.
    - CVE-2020-8831
  * SECURITY UPDATE: Race condition between report creation and ownership
    (LP: #1862933)
    - data/apport: When setting owner of report file use a file-descriptor
      to the report file instead of its path name to ensure that users can
      not cause Apport to change the ownership of other files via a
      symlink attack.
    - CVE-2020-8833

 -- Alex Murray <email address hidden> Wed, 25 Mar 2020 11:40:00 +1030

Source diff to previous version
1862348 Apport lock file root privilege escalation
1862933 Apport crash report \u0026 cron script TOCTTOU
CVE-2020-8831 RESERVED
CVE-2020-8833 RESERVED

Version: 2.20.11-0ubuntu8.6 2020-03-18 03:06:31 UTC

  apport (2.20.11-0ubuntu8.6) eoan-security; urgency=medium

  * SECURITY REGRESSION: 'module' object has no attribute 'O_PATH'
    (LP: #1851806)
    - apport/report.py, apport/ui.py: use file descriptors for /proc/pid
      directory access only when running under python 3; prevent reading /proc
      maps under python 2 as it does not provide a secure way to do so; use
      io.open for better compatibility between python 2 and 3.
  * data/apport: fix number of arguments passed through socks into a container.
  * test/test_report.py: test login session with both pid and proc_pid_fd.

 -- Tiago Stürmer Daitx <email address hidden> Thu, 27 Feb 2020 03:18:45 +0000

Source diff to previous version
1851806 'module' object has no attribute 'O_PATH'

Version: 2.20.11-0ubuntu8.2 2019-11-05 06:07:17 UTC

  apport (2.20.11-0ubuntu8.2) eoan-security; urgency=medium

  * SECURITY REGRESSION: missing argument in Report.add_proc_environ
    call (LP: #1850929)
    - apport/report.py: call add_proc_environ using named arguments
      and move proc_pid_dir keyword to last to keep api compatibility.

 -- Tiago Stürmer Daitx <email address hidden> Tue, 05 Nov 2019 02:49:27 +0000

Source diff to previous version
1850929 python3-apport regression: missing argument in Report.add_proc_environ call

Version: 2.20.11-0ubuntu8.1 2019-10-30 08:06:46 UTC

  apport (2.20.11-0ubuntu8.1) eoan-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000

1830862 Apport reads arbitrary files if ~/.config/apport/settings is a symlink
1839413 TOCTTOU (\
1839415 Fully user controllable lock file due to lock file being located in world-writable directory
1839420 Per-process user controllable Apport socket file
1839795 PID recycling enables an unprivileged user to generate and read a crash report for a privileged process
CVE-2019-11481 RESERVED
CVE-2019-11482 RESERVED
CVE-2019-11485 RESERVED
CVE-2019-11483 RESERVED
CVE-2019-15790 RESERVED



About   -   Send Feedback to @ubuntu_updates