USN-3157-1: Apport vulnerabilities
USN-3157-1: Apport vulnerabilities Ubuntu Security Notice USN-3157-1 14th December, 2016 apport vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Apport could be made to run programs as your login if it opened a specially crafted file. Software description apport – automatically generate crash reports for debugging Details Donncha O Cearbhaill discovered that the crash file parser in Apportimproperly treated the CrashDB field as python code. An attacker coulduse this to convince a user to open a maliciously crafted crash fileand execute arbitrary code with the privileges of that user. This issueonly affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9949) Donncha O Cearbhaill discovered that Apport did not properly sanitize thePackage and SourcePackage fields in crash files before processing packagespecific hooks. An attacker could [ more… ]