========================================================================== Ubuntu Security Notice USN-3157-1 December 14, 2016 apport vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Apport could be made to run programs as your login if it opened a specially crafted file. Software Description: - apport: automatically generate crash reports for debugging Details: Donncha O Cearbhaill discovered that the crash file parser in Apport improperly treated the CrashDB field as python code. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9949) Donncha O Cearbhaill discovered that Apport did not properly sanitize the Package and SourcePackage fields in crash files before processing package specific hooks. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. (CVE-2016-9950) Donncha O Cearbhaill discovered that Apport would offer to restart an application based on the contents of the RespawnCommand or ProcCmdline fields in a crash file. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user. (CVE-2016-9951) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: apport 2.20.3-0ubuntu8.2 apport-gtk 2.20.3-0ubuntu8.2 apport-kde 2.20.3-0ubuntu8.2 python-apport 2.20.3-0ubuntu8.2 python3-apport 2.20.3-0ubuntu8.2 Ubuntu 16.04 LTS: apport 2.20.1-0ubuntu2.4 apport-gtk 2.20.1-0ubuntu2.4 apport-kde 2.20.1-0ubuntu2.4 python-apport 2.20.1-0ubuntu2.4 python3-apport 2.20.1-0ubuntu2.4 Ubuntu 14.04 LTS: apport 2.14.1-0ubuntu3.23 apport-gtk 2.14.1-0ubuntu3.23 apport-kde 2.14.1-0ubuntu3.23 python-apport 2.14.1-0ubuntu3.23 python3-apport 2.14.1-0ubuntu3.23 Ubuntu 12.04 LTS: apport 2.0.1-0ubuntu17.15 apport-gtk 2.0.1-0ubuntu17.15 apport-kde 2.0.1-0ubuntu17.15 python-apport 2.0.1-0ubuntu17.15 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3157-1 CVE-2016-9949, CVE-2016-9950, CVE-2016-9951 Package Information: https://launchpad.net/ubuntu/+source/apport/2.20.3-0ubuntu8.2 https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.4 https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.23 https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.15