UbuntuUpdates.org

Package "dh-apport"

Name: dh-apport

Description:

debhelper extension for the apport crash report system

Latest version: 2.20.1-0ubuntu2.30
Release: xenial (16.04)
Level: security
Repository: universe
Head package: apport
Homepage: https://wiki.ubuntu.com/Apport

Links


Download "dh-apport"


Other versions of "dh-apport" in Xenial

Repository Area Version
base universe 2.20.1-0ubuntu2
updates universe 2.20.1-0ubuntu2.30

Changelog

Version: 2.20.1-0ubuntu2.21 2019-11-05 06:07:12 UTC

  apport (2.20.1-0ubuntu2.21) xenial-security; urgency=medium

  * SECURITY REGRESSION: missing argument in Report.add_proc_environ
    call (LP: #1850929)
    - apport/report.py: call add_proc_environ using named arguments
      and move proc_pid_dir keyword to last to keep api compatibility.

 -- Tiago Stürmer Daitx <email address hidden> Tue, 05 Nov 2019 02:49:27 +0000

Source diff to previous version
1850929 python3-apport regression: missing argument in Report.add_proc_environ call

Version: 2.20.1-0ubuntu2.20 2019-10-30 07:06:40 UTC

  apport (2.20.1-0ubuntu2.20) xenial-security; urgency=medium

  * SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
    is a symlink (LP: #1830862)
    - apport/fileutils.py: drop permissions before reading user settings file.
    - CVE-2019-11481
  * SECURITY UPDATE: TOCTTOU race conditions and following symbolic
    links when creating a core file (LP: #1839413)
    - data/apport: use file descriptor to reference to cwd instead
      of strings.
    - CVE-2019-11482
  * SECURITY UPDATE: fully user controllable lock file due to lock file
    being located in world-writable directory (LP: #1839415)
    - data/apport: create and use lock file from /var/lock/apport.
    - CVE-2019-11485
  * SECURITY UPDATE: per-process user controllable Apport socket file
    (LP: #1839420)
    - data/apport: forward crashes only under a valid uid and gid,
      thanks Stéphane Graber for the patch.
    - CVE-2019-11483
  * SECURITY UPDATE: PID recycling enables an unprivileged user to
    generate and read a crash report for a privileged process (LP: #1839795)
    - data/apport: drop permissions before adding proc info (special thanks
      to Kevin Backhouse for the patch)
    - data/apport, apport/report.py, apport/ui.py: only access or open
      /proc/[pid] through a file descriptor for that directory.
    - CVE-2019-15790

 -- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000

Source diff to previous version
1830862 Apport reads arbitrary files if ~/.config/apport/settings is a symlink
1839413 TOCTTOU (\
1839415 Fully user controllable lock file due to lock file being located in world-writable directory
1839420 Per-process user controllable Apport socket file
1839795 PID recycling enables an unprivileged user to generate and read a crash report for a privileged process
CVE-2019-11481 RESERVED
CVE-2019-11482 RESERVED
CVE-2019-11485 RESERVED
CVE-2019-11483 RESERVED
CVE-2019-15790 RESERVED

Version: 2.20.1-0ubuntu2.19 2019-07-09 01:08:09 UTC

  apport (2.20.1-0ubuntu2.19) xenial-security; urgency=medium

  * SECURITY UPDATE: TOCTOU issue allows local user to read arbitrary
    files (LP: #1830858)
    - apport/report.py: Avoid TOCTOU issue on users ignore file by
      dropping privileges and then opening the file both test for access and
      open the file in a single operation, instead of using access() before
      reading the file which could be abused by a symlink to cause Apport to
      read and embed an arbitrary file in the resulting crash dump.
    - CVE-2019-7307

 -- Alex Murray <email address hidden> Thu, 04 Jul 2019 12:05:21 +0930

Source diff to previous version
1830858 TOCTOU vulnerability in _get_ignore_dom (report.py)
CVE-2019-7307 RESERVED

Version: 2.20.1-0ubuntu2.18 2018-05-30 21:07:37 UTC

  apport (2.20.1-0ubuntu2.18) xenial-security; urgency=medium

  * data/apport: Properly handle crashes originating from a PID namespace.
    (LP: #1746668)
    - CVE-2018-6552

 -- Brian Murray <email address hidden> Thu, 10 May 2018 15:30:09 -0700

Source diff to previous version
CVE-2018-6552 RESERVED

Version: 2.20.1-0ubuntu2.15 2018-01-03 21:06:51 UTC

  apport (2.20.1-0ubuntu2.15) xenial-security; urgency=medium

  * REGRESSION UPDATE: Fix regression that caused a Traceback in the
    container support (LP: #1733366)
    - data/apport: add a second os.path.exists check to ensure we do not
      receive a Traceback in is_container_id() and add an exception handler in
      case either name space can not be found.

 -- Brian Murray <email address hidden> Wed, 13 Dec 2017 10:54:26 -0800

1733366 apport crashed with FileNotFoundError in is_container_pid(): [Errno 2] No such file or directory: '/proc/11102/ns/pid'



About   -   Send Feedback to @ubuntu_updates