UbuntuUpdates.org

Package "dh-apport"

Name: dh-apport

Description:

debhelper extension for the apport crash report system

Latest version: 2.20.1-0ubuntu2.30
Release: xenial (16.04)
Level: security
Repository: universe
Head package: apport
Homepage: https://wiki.ubuntu.com/Apport

Links


Download "dh-apport"


Other versions of "dh-apport" in Xenial

Repository Area Version
base universe 2.20.1-0ubuntu2
updates universe 2.20.1-0ubuntu2.30

Changelog

Version: 2.20.1-0ubuntu2.30 2021-02-02 19:06:53 UTC

  apport (2.20.1-0ubuntu2.30) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple security issues (LP: #1912326)
    - CVE-2021-25682: error parsing /proc/pid/status
    - CVE-2021-25683: error parsing /proc/pid/stat
    - CVE-2021-25684: stuck reading fifo
    - data/apport: make sure existing report is a regular file.
    - apport/fileutils.py: move some logic here to skip over manipulated
      process names and filenames.
    - test/test_fileutils.py: added some parsing tests.

 -- Marc Deslauriers <email address hidden> Tue, 26 Jan 2021 07:21:46 -0500

Source diff to previous version
CVE-2021-25682 RESERVED
CVE-2021-25683 RESERVED
CVE-2021-25684 RESERVED

Version: 2.20.1-0ubuntu2.27 2020-11-12 16:07:36 UTC

  apport (2.20.1-0ubuntu2.27) xenial-security; urgency=medium

  * Various security hardening fixes (LP: #1903332)
    - apport/fileutils.py: drop privileges in the correct order, limit
      settings file size.
    - apport/apport/report.py: properly drop privileges, limit ignore file
      size.
    - data/apport: drop supplemental groups.

 -- Marc Deslauriers <email address hidden> Tue, 10 Nov 2020 15:03:57 -0500

Source diff to previous version
1903332 Apport get_config incorrectly drops privileges

Version: 2.20.1-0ubuntu2.24 2020-08-04 19:07:01 UTC

  apport (2.20.1-0ubuntu2.24) xenial-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)

 -- Marc Deslauriers <email address hidden> Fri, 24 Jul 2020 09:08:40 -0400

Source diff to previous version
1877023 Unhandled exception in check_ignored()
1876659 Unhandled exception in run_hang()
CVE-2020-11936 RESERVED
CVE-2020-15701 RESERVED
CVE-2020-15702 RESERVED

Version: 2.20.1-0ubuntu2.23 2020-04-02 03:06:26 UTC

  apport (2.20.1-0ubuntu2.23) xenial-security; urgency=medium

  * SECURITY UPDATE: World writable root owned lock file created in user
    controllable location (LP: #1862348)
    - data/apport: Change location of lock file to be directly under
      /var/run so that regular users can not directly access it or perform
      symlink attacks.
    - CVE-2020-8831
  * SECURITY UPDATE: Race condition between report creation and ownership
    (LP: #1862933)
    - data/apport: When setting owner of report file use a file-descriptor
      to the report file instead of its path name to ensure that users can
      not cause Apport to change the ownership of other files via a
      symlink attack.
    - CVE-2020-8833

 -- Alex Murray <email address hidden> Wed, 25 Mar 2020 11:50:41 +1030

Source diff to previous version
1862348 Apport lock file root privilege escalation
1862933 Apport crash report \u0026 cron script TOCTTOU
CVE-2020-8831 RESERVED
CVE-2020-8833 RESERVED

Version: 2.20.1-0ubuntu2.22 2020-03-18 03:06:26 UTC

  apport (2.20.1-0ubuntu2.22) xenial-security; urgency=medium

  [ Michael Hudson-Doyle ]
  * SECURITY REGRESSION: fix autopkgtest failures since recent security
    update (LP: #1854237)
    - Fix regression in creating report for crashing setuid process by getting
      kernel to tell us the executable path rather than reading
      /proc/[pid]/exe.
    - Fix deletion of partially written core files.
    - Fix test_get_logind_session to use new API.
    - Restore add_proc_info raising ValueError for a dead process.
    - Delete test_lock_symlink, no longer applicable now that the lock is
      created in a directory only root can write to.

  [ Tiago Stürmer Daitx ]
  * SECURITY REGRESSION: 'module' object has no attribute 'O_PATH'
    (LP: #1851806)
    - apport/report.py, apport/ui.py: use file descriptors for /proc/pid
      directory access only when running under python 3; prevent reading /proc
      maps under python 2 as it does not provide a secure way to do so; use
      io.open for better compatibility between python 2 and 3.
  * data/apport: fix number of arguments passed through socks into a container.
  * test/test_report.py: test login session with both pid and proc_pid_fd.
  * test/test_apport_valgrind.py: skip test_sandbox_cache_options if system
    has little memory.
  * test/test_ui.py: modify run_crash_kernel test to account for the fact that
    linux-image-$kvers-$flavor is now built from the linux-signed source
    package on amd64 and ppc64el. (LP: #1766740)

 -- Tiago Stürmer Daitx <email address hidden> Thu, 27 Feb 2020 03:18:45 +0000

1854237 autopkgtests fail after security fixes
1851806 'module' object has no attribute 'O_PATH'
1766740 apport autopkgtest regression due to kernel packaging changes



About   -   Send Feedback to @ubuntu_updates