========================================================================= Ubuntu Security Notice USN-4171-1 October 30, 2019 apport vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.10 - Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Apport. Software Description: - apport: automatically generate crash reports for debugging Details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. (CVE-2019-11481) Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-11482) Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-11483) Sander Bos discovered Apport mishandled lock-file creation. This could be used by a local attacker to cause a denial of service against Apport. (CVE-2019-11485) Kevin Backhouse discovered Apport read various process-specific files with elevated privileges during crash dump generation. This could could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-15790) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10: apport 2.20.11-0ubuntu8.1 python-apport 2.20.11-0ubuntu8.1 python3-apport 2.20.11-0ubuntu8.1 Ubuntu 19.04: apport 2.20.10-0ubuntu27.2 python-apport 2.20.10-0ubuntu27.2 python3-apport 2.20.10-0ubuntu27.2 Ubuntu 18.04 LTS: apport 2.20.9-0ubuntu7.8 python-apport 2.20.9-0ubuntu7.8 python3-apport 2.20.9-0ubuntu7.8 Ubuntu 16.04 LTS: apport 2.20.1-0ubuntu2.20 python-apport 2.20.1-0ubuntu2.20 python3-apport 2.20.1-0ubuntu2.20 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4171-1 CVE-2019-11481, CVE-2019-11482, CVE-2019-11483, CVE-2019-11485, CVE-2019-15790 Package Information: https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu8.1 https://launchpad.net/ubuntu/+source/apport/2.20.10-0ubuntu27.2 https://launchpad.net/ubuntu/+source/apport/2.20.9-0ubuntu7.8 https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.20