Mageia alert MGASA-2012-0357 (abrt) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0357: abrt-2.0.7-3.1.mga2 (2/core) 
Date:
    	       Tue, 11 Dec 2012 22:19:20 +0100
Message-ID:
    	       <20121211211920.GA19272@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0357
Date: 	December 11th, 2012
Affected releases: 	2


Description:
Updated abrt packages fix security vulnerability:

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp
package installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core
dumps of set user ID (setuid) programs were created with insecure group
ID permissions. This could allow local, unprivileged users to obtain
sensitive information from the core dump files of setuid processes
they would otherwise not be able to access (CVE-2012-1106).


Updated Packages:
abrt-2.0.7-3.1.mga2
abrt-addon-ccpp-2.0.7-3.1.mga2
abrt-addon-kerneloops-2.0.7-3.1.mga2
abrt-addon-python-2.0.7-3.1.mga2
abrt-addon-vmcore-2.0.7-3.1.mga2
abrt-cli-2.0.7-3.1.mga2
abrt-desktop-2.0.7-3.1.mga2
abrt-gui-2.0.7-3.1.mga2
lib(64)abrt0-2.0.7-3.1.mga2
lib(64)abrt-devel-2.0.7-3.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1106
https://rhn.redhat.com/errata/RHSA-2012-0841.html
https://bugs.mageia.org/show_bug.cgi?id=6523
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)