Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563504 (CVE-2015-5302) - <dev-libs/libreport-2.0.13: Possible private data leak in Bugzilla bugs opened by ABRT
Summary: <dev-libs/libreport-2.0.13: Possible private data leak in Bugzilla bugs opene...
Status: RESOLVED FIXED
Alias: CVE-2015-5302
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-19 14:48 UTC by Agostino Sarubbo
Modified: 2017-09-24 21:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-19 14:48:19 UTC 
From ${URL} :

A bug was found in libreport which causes that user's changes made to reported data are thrown 
away. Only the changes to the first file in the list are saved and the rest is discarded. It means 
that Bugzilla attachments can contain data that user wanted to remove.

The affected files are:
- backtrace
- cmdline (/proc/[pid]/cmdline)
- environ (/proc/[pid]/environ)
- open_fds (/proc/[pid]/{fd,fdinfo})
- maps (/proc/[pid]/maps)
- smaps (/proc/[pid]/smaps)
- hostname
- remote ("1" if the problem directory was uploaded from another host)
- ks.cfg (Anaconda's ks.cfg file)
- anaconda-tb
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 14:51:43 UTC 
Upstream fix: https://github.com/abrt/libreport/commit/257578a23d1537a2d235aaa2b1488ee4f818e360

Included since v2.6.3.


@ Maintainer(s): Please bump to >=dev-libs/libreport-2.6.3
Comment 2 Pacho Ramos gentoo-dev 2017-09-20 17:36:51 UTC 
bugzilla plugin is disabled in our package with libreport-2.0.13-gentoo.patch
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 17:59:00 UTC 
Thank you Pacho, that's very helpful info.

@Security please vote and add CVE

Gentoo Security Padawan
ChrisADR
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 21:00:10 UTC 
GLSA Vote: No