desktop-packages team mailing list archive

Thread
Date

[Bug 1448636] Re: Suspend/resume failure misspells "occurred"

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1448636@xxxxxxxxxxxxxxxxxx>
Date: Fri, 22 May 2015 04:36:23 -0000
Reply-to: Bug 1448636 <1448636@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apport - 2.17.3-0ubuntu1

---------------
apport (2.17.3-0ubuntu1) wily; urgency=medium

* New upstream release:
- SECURITY UPDATE: When /proc/sys/fs/suid_dumpable is enabled, crashing a
program that is suid root or not readable for the user would create
root-owned core files in the current directory of that program. Creating
specially crafted core files in /etc/logrotate.d or similar could then
lead to arbitrary code execution with root privileges.
Now core files do not get written for these kinds of programs, in
accordance with the intention of core(5).
Thanks to Sander Bos for discovering this issue!
(CVE-2015-1324, LP: #1452239)
- SECURITY UPDATE: When writing a core dump file for a crashed packaged
program, don't close and reopen the .crash report file but just rewind
and re-read it. This prevents the user from modifying the .crash report
file while "apport" is running to inject data and creating crafted core
dump files. In conjunction with the above vulnerability of writing core
dump files to arbitrary directories this could be exploited to gain root
privileges.
Thanks to Philip Pettersson for discovering this issue!
(CVE-2015-1325, LP: #1453900)
- apportcheckresume: Fix "occured" typo, thanks Matthew Paul Thomas.
(LP: #1448636)
- signal_crashes test: Fix test_crash_setuid_* to look at whether
suid_dumpable was enabled.
- test/run: Run UI tests under dbus-launch, newer GTK versions require this
now.

-- Martin Pitt <martin.pitt@xxxxxxxxxx> Wed, 20 May 2015 16:58:35
+0200

** Changed in: apport (Ubuntu)
Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1324

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1325

--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1448636

Title:
Suspend/resume failure misspells "occurred"

Status in apport package in Ubuntu:
Fix Released

Bug description:
apport 2.14.1-0ubuntu3.8, Ubuntu 14.04

1. Trigger a KernelOops (for example, by following the steps for bug 1298792 if it isn't fixed yet).
2. Choose "Show Details".
3. Expand the "Annotation" section.

What you see: "This occured..."

What you should see: "This occurred..."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1448636/+subscriptions

References

[Bug 1448636] [NEW] Suspend/resume failure misspells "occurred"
From: Matthew Paul Thomas, 2015-04-26