Question: The release notes state: "Use ast.literal_eval() instead of the generic eval(), to prevent arbitrary code execution from malicious .crash files"
The change should be in ui.py in this revision: http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3114 Just to be clear: How does "self.offer_restart = True" avoid generic "eval()" and use "ast.literal_eval()" instead? Does this also mean that there are still situations where "eval()" is called? And why? This always leads to security issues, it's just a matter of time. Thanks for fixing it quickly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
