touch-packages team mailing list archive

Thread
Date

[Bug 1500450] Re: /usr/share/apport/package_hook:FileExistsError:/usr/share/apport/package_hook@64:make_report_file

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Brian Murray <brian@xxxxxxxxxx>
Date: Mon, 28 Sep 2015 20:44:18 -0000
Reply-to: Bug 1500450 <1500450@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think package_hook was broken by the following change with the
apport's last upload:

    - SECURITY FIX: Fix all writers of report files (package_hook,
      kernel_crashdump, and similar) to open the report file exclusively,
      i. e.  fail if they already exist. This prevents privilege escalation
      through symlink attacks. Note that this will also prevent overwriting
      previous reports with the same same. Thanks to halfdog for discovering
      this!  (CVE-2015-1338, LP: #1492570)

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1338

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1500450

Title:
  /usr/share/apport/package_hook:FileExistsError:/usr/share/apport/package_hook@64:make_report_file

Status in apport package in Ubuntu:
  Confirmed

Bug description:
  The Ubuntu Error Tracker has been receiving reports about a problem
  regarding apport.  This problem was most recently seen with version
  2.19-0ubuntu1, the problem page at
  https://errors.ubuntu.com/problem/df0a3ad32b9c2a7f173b2959a64b16b7ed139af4
  contains more details.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1500450/+subscriptions

References

[Bug 1500450] [NEW] /usr/share/apport/package_hook:FileExistsError:/usr/share/apport/package_hook@64:make_report_file
From: errors.ubuntu.com bug bridge, 2015-09-28