Your message dated Thu, 27 Jul 2017 16:49:15 +0000 with message-id <e1dalyn-0003re...@fasolo.debian.org> and subject line Bug#868831: fixed in apport 2.20.4-2 has caused the Debian Bug report #868831, regarding apport: CVE-2017-10708 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868831 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apport Version: 2.16.2-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://launchpad.net/bugs/1700573 Hi, the following vulnerability was published for apport. CVE-2017-10708[0]: | An issue was discovered in Apport through 2.20.x. In apport/report.py, | Apport sets the ExecutablePath field and it then uses the path to run | package specific hooks without protecting against path traversal. This | allows remote attackers to execute arbitrary code via a crafted .crash | file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10708 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apport Source-Version: 2.20.4-2 We believe that the bug you reported is fixed in the latest version of apport, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ritesh Raj Sarraf <r...@debian.org> (supplier of updated apport package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Jul 2017 21:31:12 +0530 Source: apport Binary: apport apport-notify python-problem-report python3-problem-report python-apport python3-apport apport-retrace apport-valgrind apport-gtk apport-kde dh-apport Architecture: source all amd64 Version: 2.20.4-2 Distribution: experimental Urgency: medium Maintainer: Ritesh Raj Sarraf <r...@debian.org> Changed-By: Ritesh Raj Sarraf <r...@debian.org> Description: apport - automatically generate crash reports for debugging apport-gtk - GTK+ frontend for the apport crash report system apport-kde - KDE frontend for the apport crash report system apport-notify - automatically generate crash reports for debugging apport-retrace - tools for reprocessing Apport crash reports apport-valgrind - valgrind wrapper that first downloads debug symbols dh-apport - debhelper extension for the apport crash report system python-apport - Python library for Apport crash report handling python-problem-report - Python library to handle problem reports python3-apport - Python 3 library for Apport crash report handling python3-problem-report - Python 3 library to handle problem reports Closes: 868831 Changes: apport (2.20.4-2) experimental; urgency=medium . * [4acc7ef] Refresh patches * [116a5d6] Fix security vulnerability in apport (CVE-2017-10708) (Closes: #868831) Checksums-Sha1: 71d3d98c010a87660419ce8b7ebfecdf65331129 3052 apport_2.20.4-2.dsc 3b7731bfed5f4803c080b09bd0ccc3a849446f6d 13580 apport_2.20.4-2.debian.tar.xz 7cecb0e6878f5c304e11e933798e55b21e25bca2 16268 apport-gtk_2.20.4-2_all.deb 0ef30e1284549c1a78cb94f053a0d941f79ce23c 25462 apport-kde_2.20.4-2_all.deb 4fde15f6cb98a858e7e92128b9e3029dc5422b8b 7080 apport-notify-dbgsym_2.20.4-2_amd64.deb 12fd39cc50fba47781dc7555fa5feb3135637733 8978 apport-notify_2.20.4-2_amd64.deb 1b75a69768238782189eb62233645fb64c992f27 16688 apport-retrace_2.20.4-2_all.deb dc7cdec1a642ff9807a3fafc677335dca97cdf55 9478 apport-valgrind_2.20.4-2_all.deb 96acac66abb77efacb718257684fac3d341bea93 336786 apport_2.20.4-2_all.deb 0927b6507aabfb069f768d2f72cfdb5428cc1293 18249 apport_2.20.4-2_amd64.buildinfo b03e632b00b9c236caa997fee7928dd6db4d0fab 9286 dh-apport_2.20.4-2_all.deb 4142e82b0213d959ac1735116bb78a2a349e31b2 83620 python-apport_2.20.4-2_all.deb aa9d63a1121eae718501edee9042f55c058a0833 12190 python-problem-report_2.20.4-2_all.deb 8295cad6b37d57a53dc83029f524eb62ca8e2ddf 83742 python3-apport_2.20.4-2_all.deb bd63f6f10133940025ec015aeb62748ad80cc903 12270 python3-problem-report_2.20.4-2_all.deb Checksums-Sha256: aac7617bdc3f0ff691ad868702540b073f96d066b6aae7dafcaf4c3daf165552 3052 apport_2.20.4-2.dsc 88ac0d499920ab1a059e9852ea1efe4dcd44aaa30908613de18b7ad147bd96fa 13580 apport_2.20.4-2.debian.tar.xz 1f957b5ee839d6acaa7bf0246a23c6a1666da5e1c2a189284d08eee96c6004b2 16268 apport-gtk_2.20.4-2_all.deb 14fae71ff2502d4d465e33553ab58f3fc66ca1667bd14b1490db05ba590731d6 25462 apport-kde_2.20.4-2_all.deb b113eff0871042cf88fb2a2639689d1a5f924797c16a3d54a85e36dc85e276b2 7080 apport-notify-dbgsym_2.20.4-2_amd64.deb 14f4876ea7b61ea750534b0395b681d8b4cb479784a3d8d62fb951064f8dadf6 8978 apport-notify_2.20.4-2_amd64.deb 03f2d7733dff10dfc93af36113b515b00ef08b79d1a98b7a6144646f823f8d4e 16688 apport-retrace_2.20.4-2_all.deb c44a5d30a9c036022372415b77badab53f1461c966f98ad760f6f905217ff25f 9478 apport-valgrind_2.20.4-2_all.deb 27aa70907d3aa2cbf75fc96678ed1a19722b289da45e8663e6ea171ae5ac39b0 336786 apport_2.20.4-2_all.deb 415a049c98e463fe463e9aff8ca39ad6d4e441ea507ef6b8aaf79200999a91f6 18249 apport_2.20.4-2_amd64.buildinfo 7486fbd0ade7923083e21f67de757f3b5020fa00a9d9e120ffa2e64e53462672 9286 dh-apport_2.20.4-2_all.deb f77c04ec70361611da010af74bb44264026aa514d7f797f3fbe929fa5cc661a7 83620 python-apport_2.20.4-2_all.deb 4e0dedec0f1278641bd5ab8ae37944af55af25e69a2f9bc21ea676333a9623e6 12190 python-problem-report_2.20.4-2_all.deb 25e288b8b8d56396cf291045449aea406dc6f665f2c4357469a2b22f2ea61578 83742 python3-apport_2.20.4-2_all.deb 910de14a7dfcc1ac6a948098e63849231858a33eb4f0139ff07343f0168aae91 12270 python3-problem-report_2.20.4-2_all.deb Files: 931f7d39d12a670f807add777cc133c4 3052 utils optional apport_2.20.4-2.dsc 2b015dd307019ddaf816aff34ea07cfe 13580 utils optional apport_2.20.4-2.debian.tar.xz a91df385b79adfbc163c0a83cfb6cee7 16268 gnome optional apport-gtk_2.20.4-2_all.deb 0de5bcaf772254ed1de7cf5107cf341e 25462 kde optional apport-kde_2.20.4-2_all.deb 6effd6f534aa520c7a73703a2ab058e6 7080 debug extra apport-notify-dbgsym_2.20.4-2_amd64.deb 17bbef83c6d9f3f5bfae32c8514ea3c5 8978 utils optional apport-notify_2.20.4-2_amd64.deb a85218f17d31d449b4f4e8959e724da7 16688 devel optional apport-retrace_2.20.4-2_all.deb 4a5842d1517bcc4b3b9811d3a81d2a89 9478 devel optional apport-valgrind_2.20.4-2_all.deb 3801b62a3cca65dc491da644c22c2683 336786 utils optional apport_2.20.4-2_all.deb db74f30c5937f7a973a81e1f85dde12b 18249 utils optional apport_2.20.4-2_amd64.buildinfo 849328ee9b742c057570eca508ead87e 9286 devel optional dh-apport_2.20.4-2_all.deb 944ca6fc50563f7f0fecda3415f82075 83620 python optional python-apport_2.20.4-2_all.deb 120d9aeabe4a62ff373d61e6dcfee027 12190 python optional python-problem-report_2.20.4-2_all.deb b3fcd62485fe4033745399021750ba8e 83742 python optional python3-apport_2.20.4-2_all.deb a0e51b374e4910365d283097f7b31655 12270 python optional python3-problem-report_2.20.4-2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAll6FfcACgkQpjpYo/Lh dWmZ+Q/7Ba+5Xyk9w3wqdBma8r6PGee/ghxU+YrOTd3nbwji5I3qQ3HBLp2gqBBZ /iy+Ees7pzU85Mll7eElBl4VYofsurDU6i/Lyh89KVGglgl8n4bKmkfZJIA484jU 4T3DvcadUYpdvr5OLXp+RgeHPJTuaWe5HOj6L/1QFYAKpu4EP/0llo4kzg1USA0K WLBKTTwoUulf/AOP+8ajqCzoYmnLyfi6pecLJQCD7Ab53OdLCgexDACenlG2+5Wx xbpLkbR+AiOfT8fuD0JOd0qjtNg914NHqJSDvM6waazs8Ux53u/sy1OLpKPAyA1F mN7moLpgAuZ7fN8fznlKAuir726G3ipmkuViAQtQb9n7hu7aEcI6WC4mIVutxuhn 7feh/NDv3xbBwOL1/TnmJrD1M0ZhW0lnwAyzpLyKxWZgBHeT5XL318iKkCIsPRZA 3JC124sKc6eD6piC2fxO1O+ekHZiLP4LRxJweA3GmwK+Z8GSrAW2VSx6Qg2omka+ cFn+9qZuWfuFTJOw1zMP/JO/tcn9y1rS4m+25T/7tEbIm+C7A20w2SEfHLvOazOe /xcsoi8mtDfQhj1bTJamsJYt8/ftj+GaCtL/LsoaGHa+i9Figo2yoEpIPMiX3cCu PmJcfgindaObimsZS6/Zb944O0dv2UAZfQowfQnTK0wky9fl+eA= =TuQ+ -----END PGP SIGNATURE-----
--- End Message ---
