This bug was fixed in the package apport - 2.20.3-0ubuntu8.2
---------------
apport (2.20.3-0ubuntu8.2) yakkety-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: code execution via malicious crash files
- Use ast.literal_eval in apport/ui.py, added test to test/test_ui.py.
- No CVE number
- LP: #1648806
* SECURITY UPDATE: path traversal vulnerability with hooks execution
- Clean path in apport/report.py, added test to test/test_ui.py.
- No CVE number
- LP: #1648806
[ Steve Beattie ]
* SECURITY UPDATE: code execution via malicious crash files
- Only offer restarting the application when processing a
crash file in /var/crash in apport/ui.py, gtk/apport-gtk,
and kde/apport-kde. Add testcases to test/test_ui.py,
test/test_ui_gtk.py, and test_ui_kde.py.
- No CVE number
- LP: #1648806
-- Marc Deslauriers <[email protected]> Tue, 13 Dec 2016
10:55:09 -0800
** Changed in: apport (Ubuntu Yakkety)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1648806
Title:
Arbitrary code execution through crafted CrashDB or Package/Source
fields in .crash files
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
