[Bug 1004503] Re: Incomplete fix for CVE-2012-0949

Brian Murray brian at ubuntu.com
Wed Jul 25 20:51:04 UTC 2012 

The code in question was split out into ubuntu-release-upgrader and was
fixed with the following upload:

ubuntu-release-upgrader (1:0.174) quantal-proposed; urgency=low

  * DistUpgrade/DistUpgradeApport.py: use a whitelist to ensure that only
    specified files are gathered when creating an apport crash report
    (LP: #1004503)

 -- Brian Murray <brian at ubuntu.com>  Wed, 25 Jul 2012 12:06:06 -0700


** Changed in: update-manager (Ubuntu Quantal)
     Assignee: Michael Vogt (mvo) => Brian Murray (brian-murray)

** Changed in: update-manager (Ubuntu Quantal)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1004503

Title:
  Incomplete fix for CVE-2012-0949

Status in “update-manager” package in Ubuntu:
  Fix Released
Status in “update-manager” source package in Natty:
  Fix Released
Status in “update-manager” source package in Oneiric:
  Fix Released
Status in “update-manager” source package in Precise:
  Fix Released
Status in “update-manager” source package in Quantal:
  Fix Released

Bug description:
  The following USN fixed CVE-2012-0949:

  http://www.ubuntu.com/usn/usn-1443-1/

  "Felix Geyer discovered that the Update Manager Apport hook incorrectly
  uploaded certain system state archive files to Launchpad when reporting
  bugs. This could possibly result in repository credentials being included
  in public bug reports."

  This was originally LP #954483

  Unfortunately, the state archive files are still being uploaded. It
  seems there is code in DistUpgradeApport.py that attaches the contents
  of the /var/log/dist-upgrade directory and manually runs apport.

  apport_crash() can be simply modified to exclude the archive files,
  but fixing apport_pkgfailure() is more complicated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1004503/+subscriptions

More information about the foundations-bugs mailing list