Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546912 (CVE-2015-3142) - <app-admin/abrt-2.10.9: abrt-hook-ccpp writes core dumps to existing files owned by others
Summary: <app-admin/abrt-2.10.9: abrt-hook-ccpp writes core dumps to existing files ow...
Status: RESOLVED FIXED
Alias: CVE-2015-3142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 451742
Blocks:
  Show dependency tree
 
Reported: 2015-04-17 12:42 UTC by Agostino Sarubbo
Modified: 2019-03-10 14:44 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/satyr-0.26 =dev-libs/libreport-2.9.5 =dev-python/humanize-0.5.1 =app-admin/abrt-2.10.10-r2
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-17 12:42:03 UTC
From ${URL} :

It was discovered that the kernel-invoked coredump processor provided by
abrt writes core dumps to files owned by other system users.  This could
result in information disclosure if an application crashes while its
current directory is a directory writable to other users (such as /tmp).



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 17:54:34 UTC
@ Maintainer(s): To fix this vulnerability you have to bump at least to =app-admin/abrt-2.1.11-20.el7 (which matches to the version required for bug 546798).
Comment 2 Larry the Git Cow gentoo-dev 2018-05-23 22:44:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48ba7760fa6b26b4413be0125a7c9517f9bce8cb

commit 48ba7760fa6b26b4413be0125a7c9517f9bce8cb
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-23 22:43:42 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-23 22:43:42 +0000

    app-admin/abrt: bumpity bump bump
    
    Bug: https://bugs.gentoo.org/546798
    Bug: https://bugs.gentoo.org/546912
    Closes: https://bugs.gentoo.org/451742
    Package-Manager: Portage-2.3.38, Repoman-2.3.9

 app-admin/abrt/Manifest           |   1 +
 app-admin/abrt/abrt-2.10.9.ebuild | 113 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 114 insertions(+)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 22:22:09 UTC
@arches, please stabilize.
Comment 4 Stabilization helper bot gentoo-dev 2018-11-30 23:01:20 UTC
An automated check of this bug failed - repoman reported dependency errors (22 lines truncated): 

> dependency.bad app-admin/abrt/abrt-2.10.10-r2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['dev-python/humanize[python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_jython2_7(-),-python_single_target_pypy(-),-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_7(-),python_single_target_python3_4(+)?,python_single_target_python3_5(+)?,python_single_target_python3_6(+)?]']
> dependency.bad app-admin/abrt/abrt-2.10.10-r2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0/desktop) ['dev-python/humanize[python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_jython2_7(-),-python_single_target_pypy(-),-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_7(-),python_single_target_python3_4(+)?,python_single_target_python3_5(+)?,python_single_target_python3_6(+)?]']
> dependency.bad app-admin/abrt/abrt-2.10.10-r2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['dev-python/humanize[python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_jython2_7(-),-python_single_target_pypy(-),-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_7(-),python_single_target_python3_4(+)?,python_single_target_python3_5(+)?,python_single_target_python3_6(+)?]']
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:43:10 UTC
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-12 16:31:25 UTC
amd64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-12-12 22:22:17 UTC
@gnome, please clean vulnerable.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 03:54:26 UTC
yoooooo Gnome peoples...
Comment 9 Mart Raudsepp gentoo-dev 2019-03-10 08:54:33 UTC
I knew you are the co-maintainer :D
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 14:44:36 UTC
(In reply to Mart Raudsepp from comment #9)
> I knew you are the co-maintainer :D

Hah!  I just helped out in bumping it... so we could close old sec bugs.