MGASA-2012-0357
Date: | December 11th, 2012 |
Affected releases: | 2 |
Description:
Updated abrt packages fix security vulnerability:
If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp
package installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core
dumps of set user ID (setuid) programs were created with insecure group
ID permissions. This could allow local, unprivileged users to obtain
sensitive information from the core dump files of setuid processes
they would otherwise not be able to access (CVE-2012-1106).
Updated Packages:
abrt-2.0.7-3.1.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
abrt-cli-2.0.7-3.1.mga2
abrt-desktop-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
lib(64)abrt0-2.0.7-3.1.mga2
lib(64)abrt-devel-2.0.7-3.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html
https://bugs.mageia.org/show_bug.cgi?id=6523