Control: tag -1 +pending
Thank you for the bug report. I just prepared an upload and it should clear the ftp archives soon. On Wed, 2017-07-19 at 06:26 +0200, Salvatore Bonaccorso wrote: > Source: apport > Version: 2.16.2-1 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://launchpad.net/bugs/1700573 > > Hi, > > the following vulnerability was published for apport. > > CVE-2017-10708[0]: > > An issue was discovered in Apport through 2.20.x. In > > apport/report.py, > > Apport sets the ExecutablePath field and it then uses the path to > > run > > package specific hooks without protecting against path traversal. > > This > > allows remote attackers to execute arbitrary code via a crafted > > .crash > > file. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-10708 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10708 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part
