Oval Definition:oval:com.redhat.rhsa:def:20130215
Revision Date:2013-01-31Version:639
Title:RHSA-2013:0215: abrt and libreport security update (Important)
Description:ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality. libreport provides an API for reporting different problems
in applications to different bug targets, such as Bugzilla, FTP, and Trac.

It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user. (CVE-2012-5659)

A race condition was found in the way ABRT handled the directories used to
store information about crashes. A local attacker with the privileges of
the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root.
(CVE-2012-5660)

Red Hat would like to thank Martin Carpenter of Citco for reporting the
CVE-2012-5660 issue. CVE-2012-5659 was discovered by Miloslav Trmač of Red
Hat.

All users of abrt and libreport are advised to upgrade to these updated
packages, which correct these issues.
Family:unixClass:patch
Status:Reference(s):CVE-2012-5659
CVE-2012-5659
CVE-2012-5660
CVE-2012-5660
RHSA-2013:0215
RHSA-2013:0215-03
RHSA-2013:0215-03
Platform(s):Red Hat Enterprise Linux 6
Product(s):
Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 6 is installed
  • AND
  • libreport is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport is signed with Red Hat redhatrelease2 key
  • libreport-cli is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-cli is signed with Red Hat redhatrelease2 key
  • libreport-devel is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-devel is signed with Red Hat redhatrelease2 key
  • libreport-gtk is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-gtk is signed with Red Hat redhatrelease2 key
  • libreport-gtk-devel is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-gtk-devel is signed with Red Hat redhatrelease2 key
  • libreport-newt is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-newt is signed with Red Hat redhatrelease2 key
  • libreport-plugin-bugzilla is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-bugzilla is signed with Red Hat redhatrelease2 key
  • libreport-plugin-kerneloops is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-kerneloops is signed with Red Hat redhatrelease2 key
  • libreport-plugin-logger is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-logger is signed with Red Hat redhatrelease2 key
  • libreport-plugin-mailx is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-mailx is signed with Red Hat redhatrelease2 key
  • libreport-plugin-reportuploader is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-reportuploader is signed with Red Hat redhatrelease2 key
  • libreport-plugin-rhtsupport is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-plugin-rhtsupport is signed with Red Hat redhatrelease2 key
  • libreport-python is earlier than 0:2.0.9-5.el6_3.2
  • AND libreport-python is signed with Red Hat redhatrelease2 key
  • abrt is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt is signed with Red Hat redhatrelease2 key
  • abrt-addon-ccpp is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-addon-ccpp is signed with Red Hat redhatrelease2 key
  • abrt-addon-kerneloops is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-addon-kerneloops is signed with Red Hat redhatrelease2 key
  • abrt-addon-python is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-addon-python is signed with Red Hat redhatrelease2 key
  • abrt-addon-vmcore is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-addon-vmcore is signed with Red Hat redhatrelease2 key
  • abrt-cli is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-cli is signed with Red Hat redhatrelease2 key
  • abrt-desktop is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-desktop is signed with Red Hat redhatrelease2 key
  • abrt-devel is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-devel is signed with Red Hat redhatrelease2 key
  • abrt-gui is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-gui is signed with Red Hat redhatrelease2 key
  • abrt-libs is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-libs is signed with Red Hat redhatrelease2 key
  • abrt-tui is earlier than 0:2.0.8-6.el6_3.2
  • AND abrt-tui is signed with Red Hat redhatrelease2 key
  • BACK