From Mageia wiki
Jump to: navigation, search

MGASA-2012-0357

Date: December 11th, 2012
Affected releases: 2


Description:
Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp
package installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core
dumps of set user ID (setuid) programs were created with insecure group
ID permissions. This could allow local, unprivileged users to obtain
sensitive information from the core dump files of setuid processes
they would otherwise not be able to access (CVE-2012-1106).


Updated Packages:
abrt-2.0.7-3.1.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
abrt-cli-2.0.7-3.1.mga2
abrt-desktop-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
lib(64)abrt0-2.0.7-3.1.mga2
lib(64)abrt-devel-2.0.7-3.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html
https://bugs.mageia.org/show_bug.cgi?id=6523