| Summary: | abrt/libreport new security issues CVE-2012-5659 and CVE-2012-5660 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, oe, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/535717/ | ||
| Whiteboard: | |||
| Source RPM: | abrt, libreport | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-02-01 20:09:33 CET
David Walser
2013-02-01 20:09:42 CET
CC:
(none) =>
mageia
David Walser
2013-02-01 20:09:48 CET
CC:
(none) =>
oe
David Walser
2013-02-01 20:09:59 CET
CC:
(none) =>
thierry.vignaud
David Walser
2013-02-01 20:18:40 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/535717/ CVE-2012-5659 is indeed already fixed in the abrt version we have in Cauldron. Patched libreport packages uploaded for Mageia 2 and Cauldron. Patched abrt package uploaded for Mageia 2. Advisory: ======================== Updated abrt and libreport packages fix security vulnerabilities: It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user (CVE-2012-5659). A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root (CVE-2012-5660). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5660 https://rhn.redhat.com/errata/RHSA-2013-0215.html ======================== Updated packages in core/updates_testing: ======================== libreport-2.0.8-5.1.mga2 libreport-abrt_dbus0-2.0.8-5.1.mga2 libreport-abrt_web0-2.0.8-5.1.mga2 libreport0-2.0.8-5.1.mga2 libreport-filesystem-2.0.8-5.1.mga2 libreport-devel-2.0.8-5.1.mga2 libreport-python-2.0.8-5.1.mga2 libreport-cli-2.0.8-5.1.mga2 libreport-newt-2.0.8-5.1.mga2 libreport-gtk-2.0.8-5.1.mga2 libreport-gtk0-2.0.8-5.1.mga2 libreport-gtk-devel-2.0.8-5.1.mga2 libreport-plugin-kerneloops-2.0.8-5.1.mga2 libreport-plugin-logger-2.0.8-5.1.mga2 libreport-plugin-mailx-2.0.8-5.1.mga2 libreport-plugin-bugzilla-2.0.8-5.1.mga2 libreport-plugin-bodhi-2.0.8-5.1.mga2 libreport-compat-2.0.8-5.1.mga2 libreport-plugin-reportuploader-2.0.8-5.1.mga2 abrt-2.0.7-3.2.mga2 libabrt0-2.0.7-3.2.mga2 libabrt-devel-2.0.7-3.2.mga2 abrt-gui-2.0.7-3.2.mga2 abrt-addon-ccpp-2.0.7-3.2.mga2 abrt-addon-kerneloops-2.0.7-3.2.mga2 abrt-addon-vmcore-2.0.7-3.2.mga2 abrt-addon-python-2.0.7-3.2.mga2 abrt-cli-2.0.7-3.2.mga2 abrt-desktop-2.0.7-3.2.mga2 from SRPMS: libreport-2.0.8-5.1.mga2.src.rpm abrt-2.0.7-3.2.mga2.src.rpm Version:
Cauldron =>
2 As with the previous abrt testing, I'm following the procedure at https://fedoraproject.org/wiki/QA:Testcase_ABRT but I am not getting the notification. In the previous test, libreport was not installed, iirc. Should it be required by the abrt package? Is there some other piece that needs to be installed to get abrt and libreport working? CC:
(none) =>
davidwhodgins
Dave Hodgins
2013-02-02 03:44:06 CET
Whiteboard:
(none) =>
feedback rpm tells me that several of the abrt packages require libreport.so.0, so at least libreport0 should be installed. You shouldn't be able to install the abrt packages without it. As far as the other packages, a couple of them are explicitly required by some of the abrt subpackages, but we don't have quite as many explicit requires as Fedora's spec. For "libreport" itself, Fedora's abrt-dbus subpackage (we don't have a subpackage by that name) requires it. So, you can try installing it and the other libreport subpackages and see if it makes any difference. Hopefully we can get some feedback from other developers. I don't know much about abrt. More testing info here https://fedorahosted.org/abrt/wiki/AbrtBasicFunctionality Found that abrt-desktop is a meta package which should bring in all necessary bits, so installed that and several libreport bits Problem with existing package, it appears not to be working anyway. # service abrtd restart Restarting abrtd (via systemctl): [ OK ] $ ps aux | grep abrt root 19484 0.0 0.0 21500 1088 ? Ss 19:06 0:00 /usr/sbin/abrtd $ abrt-applet ABRT service is not running # rpm -qa | grep -e abrt -e report lib64abrt0-2.0.7-3.1.mga2 libreport-gtk-2.0.8-5.mga2 libreport-filesystem-2.0.8-5.mga2 abrt-addon-kerneloops-2.0.7-3.1.mga2 libreport-2.0.8-5.mga2 lib64report0-2.0.8-5.mga2 abrt-addon-ccpp-2.0.7-3.1.mga2 abrt-addon-vmcore-2.0.7-3.1.mga2 lib64report-gtk0-2.0.8-5.mga2 lib64report-abrt_dbus0-2.0.8-5.mga2 abrt-desktop-2.0.7-3.1.mga2 libreport-python-2.0.8-5.mga2 abrt-2.0.7-3.1.mga2 abrt-addon-python-2.0.7-3.1.mga2 abrt-gui-2.0.7-3.1.mga2 Should this be pushed in it's current form or shall we assign it back to you David until it can be fixed? Let's push this. Thanks. Whiteboard:
feedback =>
(none) I'll create a new bug for it. Validating Advisory & srpm in comment 1 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Bug 9014 created for abrt Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0047 Status:
NEW =>
RESOLVED |