Mageia Bugzilla – Bug 8937
abrt/libreport new security issues CVE-2012-5659 and CVE-2012-5660
Last modified: 2013-02-09 14:12:38 CET
RedHat has issued an advisory on January 31:
Judging by the commit dates, 5659 (abrt) may be fixed in Cauldron, but 5660 (libreport) wouldn't be.
Mageia 2 is also affected.
CVE-2012-5659 is indeed already fixed in the abrt version we have in Cauldron.
Patched libreport packages uploaded for Mageia 2 and Cauldron.
Patched abrt package uploaded for Mageia 2.
Updated abrt and libreport packages fix security vulnerabilities:
It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user (CVE-2012-5659).
A race condition was found in the way ABRT handled the directories used to
store information about crashes. A local attacker with the privileges of
the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root (CVE-2012-5660).
Updated packages in core/updates_testing:
As with the previous abrt testing, I'm following the procedure at
but I am not getting the notification.
In the previous test, libreport was not installed, iirc. Should
it be required by the abrt package?
Is there some other piece that needs to be installed to get
abrt and libreport working?
rpm tells me that several of the abrt packages require libreport.so.0, so at least libreport0 should be installed. You shouldn't be able to install the abrt packages without it. As far as the other packages, a couple of them are explicitly required by some of the abrt subpackages, but we don't have quite as many explicit requires as Fedora's spec. For "libreport" itself, Fedora's abrt-dbus subpackage (we don't have a subpackage by that name) requires it. So, you can try installing it and the other libreport subpackages and see if it makes any difference.
Hopefully we can get some feedback from other developers. I don't know much about abrt.
More testing info here https://fedorahosted.org/abrt/wiki/AbrtBasicFunctionality
Found that abrt-desktop is a meta package which should bring in all necessary bits, so installed that and several libreport bits
Problem with existing package, it appears not to be working anyway.
# service abrtd restart
Restarting abrtd (via systemctl): [ OK ]
$ ps aux | grep abrt
root 19484 0.0 0.0 21500 1088 ? Ss 19:06 0:00 /usr/sbin/abrtd
ABRT service is not running
# rpm -qa | grep -e abrt -e report
Should this be pushed in it's current form or shall we assign it back to you David until it can be fixed?
Let's push this. Thanks.
I'll create a new bug for it.
Advisory & srpm in comment 1
Could sysadmin please push from core/updates_testing to core/updates
Bug 9014 created for abrt