UbuntuUpdates.org

Package "apport"

Name: apport

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • KDE frontend for the apport crash report system
  • tools for automatically reporting Apport crash reports
  • valgrind wrapper that first downloads debug symbols

Latest version: 2.14.1-0ubuntu3.29
Release: trusty (14.04)
Level: security
Repository: universe

Links



Other versions of "apport" in Trusty

Repository Area Version
base universe 2.14.1-0ubuntu3
base main 2.14.1-0ubuntu3
security main 2.14.1-0ubuntu3.29
updates universe 2.14.1-0ubuntu3.29
updates main 2.14.1-0ubuntu3.29

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.14.1-0ubuntu3.29 2018-06-04 18:07:11 UTC

  apport (2.14.1-0ubuntu3.29) trusty-security; urgency=medium

  * data/apport: Properly handle crashes originating from a PID namespace.
    (LP: #1746668)
    - Thanks to Sander Bos for discovering this issue.
    - CVE-2018-6552

 -- Marc Deslauriers <email address hidden> Fri, 01 Jun 2018 08:12:01 -0400

Source diff to previous version
CVE-2018-6552 RESERVED

Version: 2.14.1-0ubuntu3.28 2018-05-15 00:06:17 UTC

  apport (2.14.1-0ubuntu3.28) trusty-security; urgency=medium

  * REGRESSION UPDATE: Fix regression that caused a Traceback in the
    container support (LP: #1733366)
    - data/apport: add a second os.path.exists check to ensure we do not
      receive a Traceback in is_container_id() and add an exception handler in
      case either name space can not be found.

 -- Brian Murray <email address hidden> Fri, 20 Apr 2018 14:11:44 -0700

Source diff to previous version
1733366 apport crashed with FileNotFoundError in is_container_pid(): [Errno 2] No such file or directory: '/proc/11102/ns/pid'

Version: 2.14.1-0ubuntu3.27 2017-11-15 20:06:20 UTC

  apport (2.14.1-0ubuntu3.27) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service via resource exhaustion and
    privilege escalation when handling crashes of tainted processes
    (LP: #1726372)
    - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that
      the user and group owning the /proc/<PID>/stat file is the same
      user and group that started the process. Rather check the dump
      mode of the crashed process and do not write a core file if its
      value is 2. Thanks to Sander Bos for discovering this issue!
    - CVE-2017-14177
  * SECURITY UPDATE: Denial of service via resource exhaustion,
    privilege escalation, and possible container escape when handling
    crashes of processes inside PID namespaces (LP: #1726372)
    - Change the method for determining if a crash is from a container
      so that there are no false positives from software using PID
      namespaces. Additionally, disable container crash forwarding by
      ignoring crashes that occur in a PID namespace. This functionality
      may be re-enabled in a future update. Thanks to Sander Bos for
      discovering this issue!
    - CVE-2017-14180

 -- Brian Murray <email address hidden> Mon, 13 Nov 2017 08:54:04 -0800

Source diff to previous version
1726372 Multiple security issues in Apport
CVE-2017-14177 RESERVED
CVE-2017-14180 RESERVED

Version: 2.14.1-0ubuntu3.25 2017-07-18 19:07:08 UTC

  apport (2.14.1-0ubuntu3.25) trusty-security; urgency=medium

  * SECURITY UPDATE: code execution through path traversal in
    .crash files (LP: #1700573)
    - apport/report.py, test/test_ui.py: fix traversal issue
      and add a test for that.
    - debian/apport.install, setup.py, xdg-mime/apport.xml: removes
      apport as a file handler for .crash files. Thanks to Brian
      Murray for the patch and Felix Wilhelm for discovering this.
    - CVE-2017-10708

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 17 Jul 2017 08:43:04 -0300

Source diff to previous version
1700573 Code execution through path traversal in .crash files processing
CVE-2017-1070 RESERVED

Version: 2.14.1-0ubuntu3.23 2016-12-14 23:07:26 UTC

  apport (2.14.1-0ubuntu3.23) trusty-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: code execution via malicious crash files
    - Use ast.literal_eval in apport/ui.py, added test to test/test_ui.py.
    - No CVE number
    - LP: #1648806
  * SECURITY UPDATE: path traversal vulnerability with hooks execution
    - Clean path in apport/report.py, added test to test/test_ui.py.
    - No CVE number
    - LP: #1648806

  [ Steve Beattie ]
  * SECURITY UPDATE: code execution via malicious crash files
    - Only offer restarting the application when processing a
      crash file in /var/crash in apport/ui.py, gtk/apport-gtk,
      and kde/apport-kde. Add testcases to test/test_ui.py,
      test/test_ui_gtk.py, and test_ui_kde.py.
    - No CVE number
    - LP: #1648806

 -- Marc Deslauriers <email address hidden> Mon, 12 Dec 2016 07:27:21 -0500

1648806 Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files



About   -   Send Feedback to @ubuntu_updates