Important CentOS libreport Update

Metadata

medium
6.9
abrt-2.0.8-6.el6.centos.2.i686.rpm, abrt-2.0.8-6.el6.centos.2.src.rpm, abrt-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-addon-ccpp-2.0.8-6.el6.centos.2.i686.rpm, abrt-addon-ccpp-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-addon-kerneloops-2.0.8-6.el6.centos.2.i686.rpm, abrt-addon-kerneloops-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-addon-python-2.0.8-6.el6.centos.2.i686.rpm, abrt-addon-python-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-addon-vmcore-2.0.8-6.el6.centos.2.i686.rpm, abrt-addon-vmcore-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-cli-2.0.8-6.el6.centos.2.i686.rpm, abrt-cli-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-desktop-2.0.8-6.el6.centos.2.i686.rpm, abrt-desktop-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-devel-2.0.8-6.el6.centos.2.i686.rpm, abrt-devel-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-gui-2.0.8-6.el6.centos.2.i686.rpm, abrt-gui-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-libs-2.0.8-6.el6.centos.2.i686.rpm, abrt-libs-2.0.8-6.el6.centos.2.x86_64.rpm, abrt-tui-2.0.8-6.el6.centos.2.i686.rpm, abrt-tui-2.0.8-6.el6.centos.2.x86_64.rpm, libreport-2.0.9-5.el6.centos.2.i686.rpm, libreport-2.0.9-5.el6.centos.2.src.rpm, libreport-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-cli-2.0.9-5.el6.centos.2.i686.rpm, libreport-cli-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-devel-2.0.9-5.el6.centos.2.i686.rpm, libreport-devel-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-gtk-2.0.9-5.el6.centos.2.i686.rpm, libreport-gtk-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-gtk-devel-2.0.9-5.el6.centos.2.i686.rpm, libreport-gtk-devel-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-newt-2.0.9-5.el6.centos.2.i686.rpm, libreport-newt-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-bugzilla-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-bugzilla-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-kerneloops-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-kerneloops-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-logger-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-logger-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-mailx-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-mailx-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-reportuploader-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-reportuploader-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-plugin-rhtsupport-2.0.9-5.el6.centos.2.i686.rpm, libreport-plugin-rhtsupport-2.0.9-5.el6.centos.2.x86_64.rpm, libreport-python-2.0.9-5.el6.centos.2.i686.rpm, libreport-python-2.0.9-5.el6.centos.2.x86_64.rpm
CVE-2012-5659, CVE-2012-5660
rhn.redhat.com, lists.centos.org, lists.centos.org
2013-02-01
2017-07-27 19:04
2017-04-01 19:06
2017-01-05 20:10

Description


Updated abrt and libreport packages that fix two security issues are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality. libreport provides an API for reporting different problems
in applications to different bug targets, such as Bugzilla, FTP, and Trac.

It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user. (CVE-2012-5659)

A race condition was found in the way ABRT handled the directories used to
store information about crashes. A local attacker with the privileges of
the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root.
(CVE-2012-5660)

Red Hat would like to thank Martin Carpenter of Citco for reporting the
CVE-2012-5660 issue. CVE-2012-5659 was discovered by Miloslav Trma─Ź of Red
Hat.

All users of abrt and libreport are advised to upgrade to these updated
packages, which correct these issues.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 abrt abrt-2.0.8-6.el6.centos.2.i686.rpm
abrt abrt-2.0.8-6.el6.centos.2.src.rpm
abrt abrt-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-addon-ccpp abrt-addon-ccpp-2.0.8-6.el6.centos.2.i686.rpm
abrt-addon-ccpp abrt-addon-ccpp-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-addon-kerneloops abrt-addon-kerneloops-2.0.8-6.el6.centos.2.i686.rpm
abrt-addon-kerneloops abrt-addon-kerneloops-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-addon-python abrt-addon-python-2.0.8-6.el6.centos.2.i686.rpm
abrt-addon-python abrt-addon-python-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-addon-vmcore abrt-addon-vmcore-2.0.8-6.el6.centos.2.i686.rpm
abrt-addon-vmcore abrt-addon-vmcore-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-cli abrt-cli-2.0.8-6.el6.centos.2.i686.rpm
abrt-cli abrt-cli-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-desktop abrt-desktop-2.0.8-6.el6.centos.2.i686.rpm
abrt-desktop abrt-desktop-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-devel abrt-devel-2.0.8-6.el6.centos.2.i686.rpm
abrt-devel abrt-devel-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-gui abrt-gui-2.0.8-6.el6.centos.2.i686.rpm
abrt-gui abrt-gui-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-libs abrt-libs-2.0.8-6.el6.centos.2.i686.rpm
abrt-libs abrt-libs-2.0.8-6.el6.centos.2.x86_64.rpm
abrt-tui abrt-tui-2.0.8-6.el6.centos.2.i686.rpm
abrt-tui abrt-tui-2.0.8-6.el6.centos.2.x86_64.rpm
libreport libreport-2.0.9-5.el6.centos.2.i686.rpm
libreport libreport-2.0.9-5.el6.centos.2.src.rpm
libreport libreport-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-cli libreport-cli-2.0.9-5.el6.centos.2.i686.rpm
libreport-cli libreport-cli-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-devel libreport-devel-2.0.9-5.el6.centos.2.i686.rpm
libreport-devel libreport-devel-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-gtk libreport-gtk-2.0.9-5.el6.centos.2.i686.rpm
libreport-gtk libreport-gtk-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-gtk-devel libreport-gtk-devel-2.0.9-5.el6.centos.2.i686.rpm
libreport-gtk-devel libreport-gtk-devel-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-newt libreport-newt-2.0.9-5.el6.centos.2.i686.rpm
libreport-newt libreport-newt-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-bugzilla libreport-plugin-bugzilla-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-bugzilla libreport-plugin-bugzilla-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-kerneloops libreport-plugin-kerneloops-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-kerneloops libreport-plugin-kerneloops-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-logger libreport-plugin-logger-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-logger libreport-plugin-logger-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-mailx libreport-plugin-mailx-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-mailx libreport-plugin-mailx-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-reportuploader libreport-plugin-reportuploader-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-reportuploader libreport-plugin-reportuploader-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-plugin-rhtsupport libreport-plugin-rhtsupport-2.0.9-5.el6.centos.2.i686.rpm
libreport-plugin-rhtsupport libreport-plugin-rhtsupport-2.0.9-5.el6.centos.2.x86_64.rpm
libreport-python libreport-python-2.0.9-5.el6.centos.2.i686.rpm
libreport-python libreport-python-2.0.9-5.el6.centos.2.x86_64.rpm