Red Hat Security Advisory: abrt and libreport security update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2013:0215 Final 3 3 2013-01-31T19:08:00Z Current version 2013-01-31T19:08:00Z 2013-01-31T19:08:00Z Red Hat rhsa-to-cvrf 1.0.1484 2013-01-31T21:46:18Z Updated abrt and libreport packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets, such as Bugzilla, FTP, and Trac. It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user. (CVE-2012-5659) A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root. (CVE-2012-5660) Red Hat would like to thank Martin Carpenter of Citco for reporting the CVE-2012-5660 issue. CVE-2012-5659 was discovered by Miloslav Trmač of Red Hat. All users of abrt and libreport are advised to upgrade to these updated packages, which correct these issues. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2013 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2013-0215.html https://rhn.redhat.com/errata/RHSA-2013-0215.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important Red Hat Enterprise Linux HPC Node Optional (v. 6) Red Hat Enterprise Linux Server (v. 6) Red Hat Enterprise Linux Workstation (v. 6) Red Hat Enterprise Linux Desktop Optional (v. 6) Red Hat Enterprise Linux Workstation Optional (v. 6) Red Hat Enterprise Linux HPC Node (v. 6) Red Hat Enterprise Linux Desktop (v. 6) Red Hat Enterprise Linux Server Optional (v. 6) abrt-2.0.8-6.el6_3.2.src.rpm libreport-2.0.9-5.el6_3.2.src.rpm abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Server (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Server (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Workstation (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Workstation (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux HPC Node (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux HPC Node (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Desktop (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Desktop (v. 6) abrt-2.0.8-6.el6_3.2 as a component of Red Hat Enterprise Linux Server Optional (v. 6) libreport-2.0.9-5.el6_3.2 as a component of Red Hat Enterprise Linux Server Optional (v. 6) It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user. 2012-09-03T00:00:00Z 2013-01-30T00:00:00Z CVE-2012-5659 6Client-6.3.z:abrt-2.0.8-6.el6_3.2 6Client-6.3.z:libreport-2.0.9-5.el6_3.2 6Client-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Client-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6ComputeNode-6.3.z:abrt-2.0.8-6.el6_3.2 6ComputeNode-6.3.z:libreport-2.0.9-5.el6_3.2 6ComputeNode-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6ComputeNode-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6Server-6.3.z:abrt-2.0.8-6.el6_3.2 6Server-6.3.z:libreport-2.0.9-5.el6_3.2 6Server-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Server-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6Workstation-6.3.z:abrt-2.0.8-6.el6_3.2 6Workstation-6.3.z:libreport-2.0.9-5.el6_3.2 6Workstation-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Workstation-optional-6.3.z:libreport-2.0.9-5.el6_3.2 Important 3.7 AV:L/AC:H/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0215.html https://www.redhat.com/security/data/cve/CVE-2012-5659.html CVE-2012-5659 https://bugzilla.redhat.com/show_bug.cgi?id=854011 bz#854011: CVE-2012-5659 abrt: Arbitrary Python code execution due improper sanitization of the PYTHONPATH environment variable by installing debuginfo packages into cache This issue was discovered by Miloslav Trmač of Red Hat. A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root. 2012-12-14T00:00:00Z 2013-01-30T00:00:00Z CVE-2012-5660 6Client-6.3.z:abrt-2.0.8-6.el6_3.2 6Client-6.3.z:libreport-2.0.9-5.el6_3.2 6Client-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Client-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6ComputeNode-6.3.z:abrt-2.0.8-6.el6_3.2 6ComputeNode-6.3.z:libreport-2.0.9-5.el6_3.2 6ComputeNode-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6ComputeNode-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6Server-6.3.z:abrt-2.0.8-6.el6_3.2 6Server-6.3.z:libreport-2.0.9-5.el6_3.2 6Server-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Server-optional-6.3.z:libreport-2.0.9-5.el6_3.2 6Workstation-6.3.z:abrt-2.0.8-6.el6_3.2 6Workstation-6.3.z:libreport-2.0.9-5.el6_3.2 6Workstation-optional-6.3.z:abrt-2.0.8-6.el6_3.2 6Workstation-optional-6.3.z:libreport-2.0.9-5.el6_3.2 Moderate 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0215.html https://www.redhat.com/security/data/cve/CVE-2012-5660.html CVE-2012-5660 https://bugzilla.redhat.com/show_bug.cgi?id=887866 bz#887866: CVE-2012-5660 abrt: Race condition in abrt-action-install-debuginfo Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.