Ubuntu 6614 Published by

Leonidas S. Barbosa has announced that an updated Apport package that fixes several vulnerabilities has been released for Ubuntu 14.04 ESM. Ubuntu Extended Security Maintenance (ESM) is a paid security subscription provided by Canonical Ltd.



=========================================================================
Ubuntu Security Notice USN-4171-2

November 04, 2019

apport vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Apport.

Software Description:
- apport: automatically generate crash reports for debugging
Details:

USN-4171-1 fixed several vulnerabilities in apport. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. (CVE-2019-11481)
Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a crash reportfor a privileged process that is readable by an unprivileged user. (CVE-2019-11482)

Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-11483)

Sander Bos discovered Apport mishandled lock-file creation. This could be used by a local attacker to cause a denial of service against Apport. (CVE-2019-11485)

Kevin Backhouse discovered Apport read various process-specific files with elevated privileges during crash dump generation. This could could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-15790)
Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM:
apport 2.14.1-0ubuntu3.29+esm2
python-apport 2.14.1-0ubuntu3.29+esm2
python3-apport 2.14.1-0ubuntu3.29+esm2

In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4171-2
https://usn.ubuntu.com/4171-1
CVE-2019-11481, CVE-2019-11482, CVE-2019-11483, CVE-2019-11485, CVE-2019-15790