From Mageia wiki
Jump to: navigation, search

MGASA-2013-0047

Date: February 9th, 2013
Affected releases: 2
Media: Core


Description:
Updated abrt and libreport packages fix security vulnerabilities:

It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user (CVE-2012-5659).

A race condition was found in the way ABRT handled the directories used
to store information about crashes. A local attacker with the privileges
of the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root (CVE-2012-5660).


Updated Packages:
i586:
abrt-2.0.7-3.2.mga2.i586.rpm
abrt-addon-ccpp-2.0.7-3.2.mga2.i586.rpm
abrt-addon-kerneloops-2.0.7-3.2.mga2.i586.rpm
abrt-addon-python-2.0.7-3.2.mga2.i586.rpm
abrt-addon-vmcore-2.0.7-3.2.mga2.i586.rpm
abrt-cli-2.0.7-3.2.mga2.i586.rpm
abrt-desktop-2.0.7-3.2.mga2.i586.rpm
abrt-gui-2.0.7-3.2.mga2.i586.rpm
libabrt0-2.0.7-3.2.mga2.i586.rpm
libabrt-devel-2.0.7-3.2.mga2.i586.rpm
abrt-debug-2.0.7-3.2.mga2.i586.rpm
libreport0-2.0.8-5.1.mga2.i586.rpm
libreport-2.0.8-5.1.mga2.i586.rpm
libreport-abrt_dbus0-2.0.8-5.1.mga2.i586.rpm
libreport-abrt_web0-2.0.8-5.1.mga2.i586.rpm
libreport-cli-2.0.8-5.1.mga2.i586.rpm
libreport-compat-2.0.8-5.1.mga2.i586.rpm
libreport-devel-2.0.8-5.1.mga2.i586.rpm
libreport-filesystem-2.0.8-5.1.mga2.i586.rpm
libreport-gtk0-2.0.8-5.1.mga2.i586.rpm
libreport-gtk-2.0.8-5.1.mga2.i586.rpm
libreport-gtk-devel-2.0.8-5.1.mga2.i586.rpm
libreport-newt-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-bodhi-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-bugzilla-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-kerneloops-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-logger-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-mailx-2.0.8-5.1.mga2.i586.rpm
libreport-plugin-reportuploader-2.0.8-5.1.mga2.i586.rpm
libreport-python-2.0.8-5.1.mga2.i586.rpm
libreport-debug-2.0.8-5.1.mga2.i586.rpm

x86_64:
abrt-2.0.7-3.2.mga2.x86_64.rpm
abrt-addon-ccpp-2.0.7-3.2.mga2.x86_64.rpm
abrt-addon-kerneloops-2.0.7-3.2.mga2.x86_64.rpm
abrt-addon-python-2.0.7-3.2.mga2.x86_64.rpm
abrt-addon-vmcore-2.0.7-3.2.mga2.x86_64.rpm
abrt-cli-2.0.7-3.2.mga2.x86_64.rpm
abrt-desktop-2.0.7-3.2.mga2.x86_64.rpm
abrt-gui-2.0.7-3.2.mga2.x86_64.rpm
lib64abrt0-2.0.7-3.2.mga2.x86_64.rpm
lib64abrt-devel-2.0.7-3.2.mga2.x86_64.rpm
abrt-debug-2.0.7-3.2.mga2.x86_64.rpm
lib64report0-2.0.8-5.1.mga2.x86_64.rpm
lib64report-abrt_dbus0-2.0.8-5.1.mga2.x86_64.rpm
lib64report-abrt_web0-2.0.8-5.1.mga2.x86_64.rpm
lib64report-devel-2.0.8-5.1.mga2.x86_64.rpm
lib64report-gtk0-2.0.8-5.1.mga2.x86_64.rpm
lib64report-gtk-devel-2.0.8-5.1.mga2.x86_64.rpm
libreport-2.0.8-5.1.mga2.x86_64.rpm
libreport-cli-2.0.8-5.1.mga2.x86_64.rpm
libreport-compat-2.0.8-5.1.mga2.x86_64.rpm
libreport-filesystem-2.0.8-5.1.mga2.x86_64.rpm
libreport-gtk-2.0.8-5.1.mga2.x86_64.rpm
libreport-newt-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-bodhi-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-bugzilla-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-kerneloops-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-logger-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-mailx-2.0.8-5.1.mga2.x86_64.rpm
libreport-plugin-reportuploader-2.0.8-5.1.mga2.x86_64.rpm
libreport-python-2.0.8-5.1.mga2.x86_64.rpm
libreport-debug-2.0.8-5.1.mga2.x86_64.rpm

SRPMS:
abrt-2.0.7-3.2.mga2.src.rpm
libreport-2.0.8-5.1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5660
https://rhn.redhat.com/errata/RHSA-2013-0215.html
https://bugs.mageia.org/show_bug.cgi?id=8937

Retrieved from "https://wiki.mageia.org/mw-en/index.php?title=Support/Advisories/MGASA-2013-0047&oldid=14273"