UbuntuUpdates.org

Package "python-apport"

Name: python-apport

Description:

Python library for Apport crash report handling

Latest version: 2.20.9-0ubuntu7.29
Release: bionic (18.04)
Level: security
Repository: universe
Head package: apport
Homepage: https://wiki.ubuntu.com/Apport

Links


Download "python-apport"


Other versions of "python-apport" in Bionic

Repository Area Version
base universe 2.20.9-0ubuntu7
updates universe 2.20.9-0ubuntu7.29

Changelog

Version: 2.20.9-0ubuntu7.29 2023-04-13 22:07:12 UTC

  apport (2.20.9-0ubuntu7.29) bionic-security; urgency=medium

  * SECURITY UPDATE: viewing an apport-cli crash with default pager could
    escalate privilege (LP: #2016023)
    - apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to
      users environment before execution (using sudo)
    - test/test_ui.py, test/test_user/group.py: Add test cases for new code
    - CVE-2023-1326
  * backends/packaging-apt-dpkg.py: when downloading packages from Launchpad
    do not require them to be authenticated. (LP: #1989467)

 -- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 19:53:49 +0200

Source diff to previous version
1989467 Several autopkgtest failures on Ubuntu 22.04 and older
CVE-2023-1326 RESERVED

Version: 2.20.9-0ubuntu7.28 2022-05-17 18:06:24 UTC

  apport (2.20.9-0ubuntu7.28) bionic-security; urgency=medium

  * SECURITY UPDATE: Fix multiple security issues
    - test/test_report.py: Fix flaky test.
    - data/apport: Fix too many arguments for error_log().
    - data/apport: Use proper argument variable name executable_path.
    - etc/init.d/apport: Set core_pipe_limit to a non-zero value to make
      sure the kernel waits for apport to finish before removing the /proc
      information.
    - apport/fileutils.py, data/apport: Search for executable name if one
      wan't provided such as when being called in a container.
    - data/apport: Limit memory and duration of gdbus call. (CVE-2022-28654,
      CVE-2022-28656)
    - data/apport, apport/fileutils.py, test/test_fileutils.py: Validate
      D-Bus socket location. (CVE-2022-28655)
    - apport/fileutils.py, test/test_fileutils.py: Turn off interpolation
      in get_config() to prevent DoS attacks. (CVE-2022-28652)
    - Refactor duplicate code into search_map() function.
    - Switch from chroot to container to validating socket owner.
      (CVE-2022-1242, CVE-2022-28657)
    - data/apport: Clarify error message.
    - apport/fileutils.py: Fix typo in comment.
    - apport/fileutils.py: Do not call str in loop.
    - data/apport, etc/init.d/apport: Switch to using non-positional
      arguments. Get real UID and GID from the kernel and make sure they
      match the process. Also fix executable name space handling in
      argument parsing. (CVE-2022-28658, CVE-2021-3899)
    - debian/apport.init: restore symbolic link to proper directory.

 -- Marc Deslauriers <email address hidden> Tue, 10 May 2022 09:23:35 -0400

Source diff to previous version
CVE-2022-28654 RESERVED
CVE-2022-28656 RESERVED
CVE-2022-28655 RESERVED
CVE-2022-28652 RESERVED
CVE-2022-1242 RESERVED
CVE-2022-28657 RESERVED
CVE-2022-28658 RESERVED
CVE-2021-3899 RESERVED

Version: 2.20.9-0ubuntu7.27 2021-10-25 12:06:21 UTC

  apport (2.20.9-0ubuntu7.27) bionic-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation via core files
    - refactor privilege dropping and create core files in a well-known
      directory in apport/fileutils.py, apport/report.py, data/apport,
      test/test_fileutils.py, test/test_report.py,
      test/test_signal_crashes.py, test/test_ui.py.
    - use systemd-tmpfiles to create and manage the well-known core file
      directory in setup.py, data/systemd/apport.conf,
      debian/apport.install.

 -- Marc Deslauriers <email address hidden> Mon, 18 Oct 2021 07:48:31 -0400

Source diff to previous version

Version: 2.20.9-0ubuntu7.26 2021-09-14 13:06:19 UTC

  apport (2.20.9-0ubuntu7.26) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary file read (LP: #1934308)
    - data/general-hooks/ubuntu.py: don't attempt to include emacs
      byte-compilation logs, they haven't been generated by the emacs
      packages in a long time.
    - CVE-2021-3709
  * SECURITY UPDATE: Info disclosure via path traversal (LP: #1933832)
    - apport/hookutils.py, test/test_hookutils.py: detect path traversal
      attacks, and directory symlinks.
    - CVE-2021-3710

 -- Marc Deslauriers <email address hidden> Thu, 26 Aug 2021 10:56:33 -0400

Source diff to previous version
CVE-2021-3709 RESERVED
CVE-2021-3710 RESERVED

Version: 2.20.9-0ubuntu7.24 2021-05-25 18:06:29 UTC

  apport (2.20.9-0ubuntu7.24) bionic-security; urgency=medium

  * SECURITY UPDATE: Multiple arbitrary file reads (LP: #1917904)
    - apport/hookutils.py: don't follow symlinks and make sure the file
      isn't a FIFO in read_file().
    - test/test_hookutils.py: added symlink tests.
    - CVE-2021-32547, CVE-2021-32548, CVE-2021-32549, CVE-2021-32550,
      CVE-2021-32551, CVE-2021-32552, CVE-2021-32553, CVE-2021-32554,
      CVE-2021-32555
  * SECURITY UPDATE: info disclosure via modified config files spoofing
    (LP: #1917904)
    - backends/packaging-apt-dpkg.py: properly terminate arguments in
      get_modified_conffiles.
    - CVE-2021-32556
  * SECURITY UPDATE: arbitrary file write (LP: #1917904)
    - data/whoopsie-upload-all: don't follow symlinks and make sure the
      file isn't a FIFO in process_report().
    - CVE-2021-32557

 -- Marc Deslauriers <email address hidden> Tue, 18 May 2021 09:15:10 -0400

CVE-2021-32547 RESERVED
CVE-2021-32548 RESERVED
CVE-2021-32549 RESERVED
CVE-2021-32550 RESERVED
CVE-2021-32551 RESERVED
CVE-2021-32552 RESERVED
CVE-2021-32553 RESERVED
CVE-2021-32554 RESERVED
CVE-2021-32555 RESERVED
CVE-2021-32556 RESERVED
CVE-2021-32557 RESERVED



About   -   Send Feedback to @ubuntu_updates