RedHat has issued an advisory on January 31: https://rhn.redhat.com/errata/RHSA-2013-0215.html Judging by the commit dates, 5659 (abrt) may be fixed in Cauldron, but 5660 (libreport) wouldn't be. Mageia 2 is also affected.
CC: (none) => mageia
CC: (none) => oe
CC: (none) => thierry.vignaudWhiteboard: (none) => MGA2TOO
URL: (none) => http://lwn.net/Vulnerabilities/535717/
CVE-2012-5659 is indeed already fixed in the abrt version we have in Cauldron. Patched libreport packages uploaded for Mageia 2 and Cauldron. Patched abrt package uploaded for Mageia 2. Advisory: ======================== Updated abrt and libreport packages fix security vulnerabilities: It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user (CVE-2012-5659). A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root (CVE-2012-5660). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5660 https://rhn.redhat.com/errata/RHSA-2013-0215.html ======================== Updated packages in core/updates_testing: ======================== libreport-2.0.8-5.1.mga2 libreport-abrt_dbus0-2.0.8-5.1.mga2 libreport-abrt_web0-2.0.8-5.1.mga2 libreport0-2.0.8-5.1.mga2 libreport-filesystem-2.0.8-5.1.mga2 libreport-devel-2.0.8-5.1.mga2 libreport-python-2.0.8-5.1.mga2 libreport-cli-2.0.8-5.1.mga2 libreport-newt-2.0.8-5.1.mga2 libreport-gtk-2.0.8-5.1.mga2 libreport-gtk0-2.0.8-5.1.mga2 libreport-gtk-devel-2.0.8-5.1.mga2 libreport-plugin-kerneloops-2.0.8-5.1.mga2 libreport-plugin-logger-2.0.8-5.1.mga2 libreport-plugin-mailx-2.0.8-5.1.mga2 libreport-plugin-bugzilla-2.0.8-5.1.mga2 libreport-plugin-bodhi-2.0.8-5.1.mga2 libreport-compat-2.0.8-5.1.mga2 libreport-plugin-reportuploader-2.0.8-5.1.mga2 abrt-2.0.7-3.2.mga2 libabrt0-2.0.7-3.2.mga2 libabrt-devel-2.0.7-3.2.mga2 abrt-gui-2.0.7-3.2.mga2 abrt-addon-ccpp-2.0.7-3.2.mga2 abrt-addon-kerneloops-2.0.7-3.2.mga2 abrt-addon-vmcore-2.0.7-3.2.mga2 abrt-addon-python-2.0.7-3.2.mga2 abrt-cli-2.0.7-3.2.mga2 abrt-desktop-2.0.7-3.2.mga2 from SRPMS: libreport-2.0.8-5.1.mga2.src.rpm abrt-2.0.7-3.2.mga2.src.rpm
Version: Cauldron => 2Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA2TOO => (none)
As with the previous abrt testing, I'm following the procedure at https://fedoraproject.org/wiki/QA:Testcase_ABRT but I am not getting the notification. In the previous test, libreport was not installed, iirc. Should it be required by the abrt package? Is there some other piece that needs to be installed to get abrt and libreport working?
CC: (none) => davidwhodgins
Whiteboard: (none) => feedback
rpm tells me that several of the abrt packages require libreport.so.0, so at least libreport0 should be installed. You shouldn't be able to install the abrt packages without it. As far as the other packages, a couple of them are explicitly required by some of the abrt subpackages, but we don't have quite as many explicit requires as Fedora's spec. For "libreport" itself, Fedora's abrt-dbus subpackage (we don't have a subpackage by that name) requires it. So, you can try installing it and the other libreport subpackages and see if it makes any difference. Hopefully we can get some feedback from other developers. I don't know much about abrt.
More testing info here https://fedorahosted.org/abrt/wiki/AbrtBasicFunctionality
Found that abrt-desktop is a meta package which should bring in all necessary bits, so installed that and several libreport bits Problem with existing package, it appears not to be working anyway. # service abrtd restart Restarting abrtd (via systemctl): [ OK ] $ ps aux | grep abrt root 19484 0.0 0.0 21500 1088 ? Ss 19:06 0:00 /usr/sbin/abrtd $ abrt-applet ABRT service is not running
# rpm -qa | grep -e abrt -e report lib64abrt0-2.0.7-3.1.mga2 libreport-gtk-2.0.8-5.mga2 libreport-filesystem-2.0.8-5.mga2 abrt-addon-kerneloops-2.0.7-3.1.mga2 libreport-2.0.8-5.mga2 lib64report0-2.0.8-5.mga2 abrt-addon-ccpp-2.0.7-3.1.mga2 abrt-addon-vmcore-2.0.7-3.1.mga2 lib64report-gtk0-2.0.8-5.mga2 lib64report-abrt_dbus0-2.0.8-5.mga2 abrt-desktop-2.0.7-3.1.mga2 libreport-python-2.0.8-5.mga2 abrt-2.0.7-3.1.mga2 abrt-addon-python-2.0.7-3.1.mga2 abrt-gui-2.0.7-3.1.mga2
Should this be pushed in it's current form or shall we assign it back to you David until it can be fixed?
Let's push this. Thanks.
Whiteboard: feedback => (none)
I'll create a new bug for it. Validating Advisory & srpm in comment 1 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Bug 9014 created for abrt
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0047
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED