From ${URL} : A bug was found in libreport which causes that user's changes made to reported data are thrown away. Only the changes to the first file in the list are saved and the rest is discarded. It means that Bugzilla attachments can contain data that user wanted to remove. The affected files are: - backtrace - cmdline (/proc/[pid]/cmdline) - environ (/proc/[pid]/environ) - open_fds (/proc/[pid]/{fd,fdinfo}) - maps (/proc/[pid]/maps) - smaps (/proc/[pid]/smaps) - hostname - remote ("1" if the problem directory was uploaded from another host) - ks.cfg (Anaconda's ks.cfg file) - anaconda-tb
Upstream fix: https://github.com/abrt/libreport/commit/257578a23d1537a2d235aaa2b1488ee4f818e360 Included since v2.6.3. @ Maintainer(s): Please bump to >=dev-libs/libreport-2.6.3
bugzilla plugin is disabled in our package with libreport-2.0.13-gentoo.patch
Thank you Pacho, that's very helpful info. @Security please vote and add CVE Gentoo Security Padawan ChrisADR
GLSA Vote: No