This bug was fixed in the package apport - 1.1.1-0ubuntu1
---------------
apport (1.1.1-0ubuntu1) karmic; urgency=low
[ Martin Pitt ]
* New upstream security update:
- etc/cron.daily/apport: Only attempt to remove files and symlinks, do not
descend into subdirectories of /var/crash/. Doing so might be exploited by
a race condition between find traversing a huge directory tree, changing
an existing subdir into a symlink to e. g. /etc/, and finally getting
that piped to rm. This also changes the find command to not use GNU
extensions. Thanks to Stephane Chazelas for discovering this!
(LP: #357024, CVE-2009-1295)
- Other fixes were already cherrypicked in the previous upload.
[ Matt Zimmerman ]
* package-hooks/source_linux.py: Attach info for linux-restricted-modules
and linux-backports-modules
-- Martin Pitt <[email protected]> Thu, 30 Apr 2009 09:08:29
+0200
** Branch linked: lp:~ubuntu-core-dev/apport/ubuntu
** Changed in: apport (Ubuntu)
Status: Fix Committed => Fix Released
--
security hole in /etc/cron.daily/apport
https://bugs.launchpad.net/bugs/357024
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
