Important CentOS abrt Security Update

Metadata

high
7.2
abrt-2.1.11-22.el7.centos.0.1.src.rpm, abrt-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-ccpp-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-kerneloops-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-pstoreoops-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-python-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-upload-watch-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-vmcore-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-addon-xorg-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-cli-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-console-notification-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-dbus-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-desktop-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-devel-2.1.11-22.el7.centos.0.1.i686.rpm, abrt-devel-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-gui-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-gui-devel-2.1.11-22.el7.centos.0.1.i686.rpm, abrt-gui-devel-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-gui-libs-2.1.11-22.el7.centos.0.1.i686.rpm, abrt-gui-libs-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-libs-2.1.11-22.el7.centos.0.1.i686.rpm, abrt-libs-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-python-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-python-doc-2.1.11-22.el7.centos.0.1.noarch.rpm, abrt-retrace-client-2.1.11-22.el7.centos.0.1.x86_64.rpm, abrt-tui-2.1.11-22.el7.centos.0.1.x86_64.rpm, libreport-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-2.1.11-23.el7.centos.0.1.src.rpm, libreport-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-anaconda-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-centos-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-cli-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-compat-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-devel-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-filesystem-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-gtk-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-gtk-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-gtk-devel-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-gtk-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-newt-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-kerneloops-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-logger-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-mailx-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-mantisbt-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-reportuploader-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-rhtsupport-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-plugin-ureport-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-python-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-rhel-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-rhel-anaconda-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-rhel-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-web-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-web-2.1.11-23.el7.centos.0.1.x86_64.rpm, libreport-web-devel-2.1.11-23.el7.centos.0.1.i686.rpm, libreport-web-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm
CVE-2015-1869, CVE-2015-1870, CVE-2015-3142, CVE-2015-3147, CVE-2015-3150, CVE-2015-3151, CVE-2015-3159, CVE-2015-3315
rhn.redhat.com, lists.centos.org
2015-06-15
2017-07-27 19:09
2017-04-01 19:09
2017-01-05 20:13

Description


Updated abrt packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available from the CVE link in the References
section.

ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality.

It was found that ABRT was vulnerable to multiple race condition and
symbolic link flaws. A local attacker could use these flaws to potentially
escalate their privileges on the system. (CVE-2015-3315)

It was discovered that the kernel-invoked coredump processor provided by
ABRT wrote core dumps to files owned by other system users. This could
result in information disclosure if an application crashed while its
current directory was a directory writable to by other users (such as
/tmp). (CVE-2015-3142)

It was discovered that the default event handling scripts installed by ABRT
did not handle symbolic links correctly. A local attacker with write access
to an ABRT problem directory could use this flaw to escalate their
privileges. (CVE-2015-1869)

It was found that the ABRT event scripts created a user-readable copy of an
sosreport file in ABRT problem directories, and included excerpts of
/var/log/messages selected by the user-controlled process name, leading to
an information disclosure. (CVE-2015-1870)

It was discovered that, when moving problem reports between certain
directories, abrt-handle-upload did not verify that the new problem
directory had appropriate permissions and did not contain symbolic links.
An attacker able to create a crafted problem report could use this flaw to
expose other parts of ABRT to attack, or to overwrite arbitrary files on
the system. (CVE-2015-3147)

Multiple directory traversal flaws were found in the abrt-dbus D-Bus
service. A local attacker could use these flaws to read and write arbitrary
files as the root user. (CVE-2015-3151)

It was discovered that the abrt-dbus D-Bus service did not properly check
the validity of the problem directory argument in the ChownProblemDir,
DeleteElement, and DeleteProblem methods. A local attacker could use this
flaw to take ownership of arbitrary files and directories, or to delete
files and directories as the root user. (CVE-2015-3150)

It was discovered that the abrt-action-install-debuginfo-to-abrt-cache
helper program did not properly filter the process environment before
invoking abrt-action-install-debuginfo. A local attacker could use this
flaw to escalate their privileges on the system. (CVE-2015-3159)

All users of abrt are advised to upgrade to these updated packages, which
correct these issues.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
7 abrt abrt-2.1.11-22.el7.centos.0.1.src.rpm
abrt abrt-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-ccpp abrt-addon-ccpp-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-kerneloops abrt-addon-kerneloops-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-pstoreoops abrt-addon-pstoreoops-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-python abrt-addon-python-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-upload-watch abrt-addon-upload-watch-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-vmcore abrt-addon-vmcore-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-addon-xorg abrt-addon-xorg-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-cli abrt-cli-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-console-notification abrt-console-notification-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-dbus abrt-dbus-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-desktop abrt-desktop-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-devel abrt-devel-2.1.11-22.el7.centos.0.1.i686.rpm
abrt-devel abrt-devel-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-gui abrt-gui-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-gui-devel abrt-gui-devel-2.1.11-22.el7.centos.0.1.i686.rpm
abrt-gui-devel abrt-gui-devel-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-gui-libs abrt-gui-libs-2.1.11-22.el7.centos.0.1.i686.rpm
abrt-gui-libs abrt-gui-libs-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-libs abrt-libs-2.1.11-22.el7.centos.0.1.i686.rpm
abrt-libs abrt-libs-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-python abrt-python-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-python-doc abrt-python-doc-2.1.11-22.el7.centos.0.1.noarch.rpm
abrt-retrace-client abrt-retrace-client-2.1.11-22.el7.centos.0.1.x86_64.rpm
abrt-tui abrt-tui-2.1.11-22.el7.centos.0.1.x86_64.rpm
libreport libreport-2.1.11-23.el7.centos.0.1.i686.rpm
libreport libreport-2.1.11-23.el7.centos.0.1.src.rpm
libreport libreport-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-anaconda libreport-anaconda-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-centos libreport-centos-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-cli libreport-cli-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-compat libreport-compat-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-devel libreport-devel-2.1.11-23.el7.centos.0.1.i686.rpm
libreport-devel libreport-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-filesystem libreport-filesystem-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-gtk libreport-gtk-2.1.11-23.el7.centos.0.1.i686.rpm
libreport-gtk libreport-gtk-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-gtk-devel libreport-gtk-devel-2.1.11-23.el7.centos.0.1.i686.rpm
libreport-gtk-devel libreport-gtk-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-newt libreport-newt-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-bugzilla libreport-plugin-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-kerneloops libreport-plugin-kerneloops-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-logger libreport-plugin-logger-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-mailx libreport-plugin-mailx-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-mantisbt libreport-plugin-mantisbt-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-reportuploader libreport-plugin-reportuploader-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-rhtsupport libreport-plugin-rhtsupport-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-plugin-ureport libreport-plugin-ureport-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-python libreport-python-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-rhel libreport-rhel-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-rhel-anaconda-bugzilla libreport-rhel-anaconda-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-rhel-bugzilla libreport-rhel-bugzilla-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-web libreport-web-2.1.11-23.el7.centos.0.1.i686.rpm
libreport-web libreport-web-2.1.11-23.el7.centos.0.1.x86_64.rpm
libreport-web-devel libreport-web-devel-2.1.11-23.el7.centos.0.1.i686.rpm
libreport-web-devel libreport-web-devel-2.1.11-23.el7.centos.0.1.x86_64.rpm