-
apport (2.20.11-0ubuntu27.27) focal; urgency=medium
* whoopsie-upload-all: Catch zlib.error when decoding CoreDump from
crash file (LP: #1947800)
* Fix KeyError: 'CasperMD5json' (LP: #1964828)
* apport-kde: Fix inverse order of choices (LP: #1967965)
* apport-unpack: Fix ValueError: ['separator'] has no binary content
(LP: #1889443)
* test:
- Clear environment for test_run_as_real_user_no_sudo
- Mock add_gdb_info calls in KDE UI tests
- Fix KDE UI tests if whoopsie.path is disabled
- Fix race with progress dialog in KDE UI tests
- Run UI KDE tests again
- Determine source package dynamically in test_run_crash_kernel
(LP: #1992172)
-- Benjamin Drung <email address hidden> Fri, 14 Apr 2023 01:17:21 +0200
-
apport (2.20.11-0ubuntu27.26) focal-security; urgency=medium
* SECURITY UPDATE: viewing an apport-cli crash with default pager could
escalate privilege (LP: #2016023)
- apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to
users environment before execution (using sudo)
- test/test_ui.py, test/test_user/group.py: Add test cases for new code
- CVE-2023-1326
-- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 18:41:51 +0200
-
apport (2.20.11-0ubuntu27.25) focal; urgency=medium
* Point Vcs-* URIs to git
* whoopsie-upload-all: Catch FileNotFoundError during process_report
(LP: #1867204)
* Grab a slice of JournalErrors around the crash time (LP: #1962454)
* data/apport:
- Initialize error log as first step (LP: #1989467)
- Fix PermissionError for setuid programs inside container (LP: #1982487)
- Fix reading from stdin inside containers (LP: #1982555)
* Fix autopkgtest test case failures (LP: #1989467):
- Mark autopkgtest with isolation-container restriction
- Fix failure if kernel module isofs is not installed
- Do not check recommended dependencies
- Skip UI test if kernel thread is not found
- Fix race in test_crash_system_slice
- Fix check for not running test executable
- Use shadow in *_different_binary_source
- Mock kernel package version in UI test
- Fix test_kerneloops_nodetails if kernel is not installed
- Drop broken test_crash_setuid_drop_and_kill
- Expect linux-signed on arm64/s390x as well
- Skip SegvAnalysis for non x86 architectures
- Use unlimited core ulimit for SIGQUIT test
- Fix race with progress window in GTK UI tests
- Use sleep instead of yes for tests
- Fix test_add_gdb_info_script on armhf
- Fix wrong Ubuntu archive URI on ports
- Fix KeyError in test_install_packages_unversioned
- Depend on python3-systemd for container tests
- Depend on psmisc for killall binary
- Replace missing oxideqt-codecs
- Drop broken test_install_packages_from_launchpad
- Fix test_install_packages_permanent_sandbox* for s390x
-- Benjamin Drung <email address hidden> Thu, 15 Sep 2022 14:43:39 +0200
-
apport (2.20.11-0ubuntu27.24) focal-security; urgency=medium
* SECURITY UPDATE: Fix multiple security issues
- test/test_report.py: Fix flaky test.
- data/apport: Fix too many arguments for error_log().
- data/apport: Use proper argument variable name executable_path.
- etc/init.d/apport: Set core_pipe_limit to a non-zero value to make
sure the kernel waits for apport to finish before removing the /proc
information.
- apport/fileutils.py, data/apport: Search for executable name if one
wan't provided such as when being called in a container.
- data/apport: Limit memory and duration of gdbus call. (CVE-2022-28654,
CVE-2022-28656)
- data/apport, apport/fileutils.py, test/test_fileutils.py: Validate
D-Bus socket location. (CVE-2022-28655)
- apport/fileutils.py, test/test_fileutils.py: Turn off interpolation
in get_config() to prevent DoS attacks. (CVE-2022-28652)
- Refactor duplicate code into search_map() function.
- Switch from chroot to container to validating socket owner.
(CVE-2022-1242, CVE-2022-28657)
- data/apport: Clarify error message.
- apport/fileutils.py: Fix typo in comment.
- apport/fileutils.py: Do not call str in loop.
- data/apport, etc/init.d/apport: Switch to using non-positional
arguments. Get real UID and GID from the kernel and make sure they
match the process. Also fix executable name space handling in
argument parsing. (CVE-2022-28658, CVE-2021-3899)
-- Marc Deslauriers <email address hidden> Tue, 10 May 2022 09:23:35 -0400
-
apport (2.20.11-0ubuntu27.23) focal; urgency=medium
* Fix expanded symlinks from the previous build
apport (2.20.11-0ubuntu27.22) focal; urgency=medium
* apport/ui.py: Error out when -w option is used on wayland (LP: #1952947).
-- William 'jawn-smith' Wilson <email address hidden> Wed, 30 Mar 2022 13:03:09 -0500
-
apport (2.20.11-0ubuntu27.22) focal; urgency=medium
* apport/ui.py: Error out when -w option is used on wayland (LP: #1952947).
-- Nick Rosbrook <email address hidden> Wed, 16 Feb 2022 11:32:21 -0500
-
apport (2.20.11-0ubuntu27.21) focal-security; urgency=medium
* SECURITY UPDATE: Privilege escalation via core files
- refactor privilege dropping and create core files in a well-known
directory in apport/fileutils.py, apport/report.py, data/apport,
test/test_fileutils.py, test/test_report.py,
test/test_signal_crashes.py, test/test_ui.py.
- use systemd-tmpfiles to create and manage the well-known core file
directory in setup.py, data/systemd/apport.conf,
debian/apport.install.
-- Marc Deslauriers <email address hidden> Mon, 18 Oct 2021 07:48:31 -0400
-
apport (2.20.11-0ubuntu27.20) focal-security; urgency=medium
* SECURITY UPDATE: Arbitrary file read (LP: #1934308)
- data/general-hooks/ubuntu.py: don't attempt to include emacs
byte-compilation logs, they haven't been generated by the emacs
packages in a long time.
- CVE-2021-3709
* SECURITY UPDATE: Info disclosure via path traversal (LP: #1933832)
- apport/hookutils.py, test/test_hookutils.py: detect path traversal
attacks, and directory symlinks.
- CVE-2021-3710
-- Marc Deslauriers <email address hidden> Thu, 26 Aug 2021 10:30:01 -0400
-
apport (2.20.11-0ubuntu27.18) focal-security; urgency=medium
* SECURITY UPDATE: Multiple arbitrary file reads (LP: #1917904)
- apport/hookutils.py: don't follow symlinks and make sure the file
isn't a FIFO in read_file().
- test/test_hookutils.py: added symlink tests.
- CVE-2021-32547, CVE-2021-32548, CVE-2021-32549, CVE-2021-32550,
CVE-2021-32551, CVE-2021-32552, CVE-2021-32553, CVE-2021-32554,
CVE-2021-32555
* SECURITY UPDATE: info disclosure via modified config files spoofing
(LP: #1917904)
- backends/packaging-apt-dpkg.py: properly terminate arguments in
get_modified_conffiles.
- CVE-2021-32556
* SECURITY UPDATE: arbitrary file write (LP: #1917904)
- data/whoopsie-upload-all: don't follow symlinks and make sure the
file isn't a FIFO in process_report().
- CVE-2021-32557
-- Marc Deslauriers <email address hidden> Tue, 18 May 2021 09:15:10 -0400
-
apport (2.20.11-0ubuntu27.17) focal; urgency=medium
* data/general-hooks/ubuntu.py: tag bugs from Raspberry Pi images and RISCV
images appropriately. (LP: #1920837)
* apport/hookutils.py: spawn pkttyagent so that log files can be gathered as
root in a non-graphical environment (LP: #1821415). Thanks to Iain Lane
for the patch.
* apport/hookutils.py: root access is needed to read the
casper-md5check.json file so switch to using that. (LP: #1922937)
-- Brian Murray <email address hidden> Mon, 26 Apr 2021 13:28:49 -0700
-
apport (2.20.11-0ubuntu27.16) focal-security; urgency=medium
* SECURITY UPDATE: multiple security issues (LP: #1912326)
- CVE-2021-25682: error parsing /proc/pid/status
- CVE-2021-25683: error parsing /proc/pid/stat
- CVE-2021-25684: stuck reading fifo
- data/apport: make sure existing report is a regular file.
- apport/fileutils.py: move some logic here to skip over manipulated
process names and filenames.
- test/test_fileutils.py: added some parsing tests.
-- Marc Deslauriers <email address hidden> Tue, 26 Jan 2021 07:21:46 -0500
-
apport (2.20.11-0ubuntu27.14) focal; urgency=medium
* data/apport: only drop supplemental groups if the user is root. (LP: #1906565)
-- Brian Murray <email address hidden> Thu, 03 Dec 2020 09:26:27 -0800
-
apport (2.20.11-0ubuntu27.13) focal; urgency=medium
* data/apport: Modify the check for whether or not a process is running in
the same namespace so that crashes from processes running protected in the
system.slice are considered as being from the same namespace. (LP: #1870060)
-- Brian Murray <email address hidden> Mon, 16 Nov 2020 14:40:03 -0800
-
apport (2.20.11-0ubuntu27.12) focal-security; urgency=medium
* Various security hardening fixes (LP: #1903332)
- apport/fileutils.py: drop privileges in the correct order, limit
settings file size.
- apport/apport/report.py: properly drop privileges, limit ignore file
size.
- data/apport: drop supplemental groups.
-- Marc Deslauriers <email address hidden> Tue, 10 Nov 2020 15:03:57 -0500
-
apport (2.20.11-0ubuntu27.11) focal; urgency=medium
* data/apport: In the event that the crashing executable does not exist on
disk any more the path name of the executable (passed by core) is appended
with '(deleted)' because apport is currently using sys.argv for argument
parsing there end up being too many arguments and apport crashes. This is
fixed by adding handling for six arguments. (LP: #1899195)
-- Brian Murray <email address hidden> Fri, 16 Oct 2020 13:30:49 -0700
-
apport (2.20.11-0ubuntu27.10) focal; urgency=medium
* apport/hookutils.py: call dump_acpi_tables.py with root_command_output
thereby avoiding a PermissionError. (LP: #1895865)
* data/dump_acpi_tables.py: If the user cannot read the acpi tables don't
try and print them. (LP: #1895865)
-- Brian Murray <email address hidden> Mon, 28 Sep 2020 08:47:49 -0700
-
apport (2.20.11-0ubuntu27.9) focal; urgency=medium
[ YC Cheng ]
* apport/apport/hookutils.py: add acpidump using built-in
dump_acpi_tables.py. (LP: #1888352)
* bin/oem-getlogs: add "-E" in the usage, since we'd like to talk to
pulseaudio session and that need environment infomation. Also remove
acpidump since we will use the one from hook.
-- Brian Murray <email address hidden> Wed, 02 Sep 2020 09:48:39 -0700
-
apport (2.20.11-0ubuntu27.8) focal; urgency=medium
[Brian Murray]
* Fix pep8 errors regarding ambiguous variables.
apport (2.20.11-0ubuntu27.7) focal; urgency=medium
* d/control: Offer real package alternatives along with x-terminal-server
for apport-gtk and apport-kde (LP: #1881976)
-- Dariusz Gadomski <email address hidden> Sun, 09 Aug 2020 13:43:11 +0200
-
apport (2.20.11-0ubuntu27.7) focal; urgency=medium
* d/control: Offer real package alternatives along with x-terminal-server
for apport-gtk and apport-kde (LP: #1881976)
-- Dariusz Gadomski <email address hidden> Wed, 05 Aug 2020 10:55:40 +0200
-
apport (2.20.11-0ubuntu27.6) focal-security; urgency=medium
* SECURITY UPDATE: information disclosure issue (LP: #1885633)
- data/apport: also drop gid when checking if user session is closing.
- CVE-2020-11936
* SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
- apport/report.py: don't crash on malformed mtime values.
- CVE-2020-15701
* SECURITY UPDATE: TOCTOU in core file location
- data/apport: make sure the process hasn't been replaced after Apport
has started.
- CVE-2020-15702
* apport/ui.py, test/test_ui.py: make sure a PID is specified when using
--hanging (LP: #1876659)
* WARNING: This package does _not_ contain the changes from
2.20.11-0ubuntu27.5 in focal-proposed.
-- Marc Deslauriers <email address hidden> Fri, 31 Jul 2020 09:10:30 -0400
-
apport (2.20.11-0ubuntu27.5) focal; urgency=medium
* d/control: Offer real package alternatives along with x-terminal-server
for apport-gtk and apport-kde (LP: #1881976).
-- Dariusz Gadomski <email address hidden> Wed, 22 Jul 2020 13:56:05 +0200
-
apport (2.20.11-0ubuntu27.4) focal; urgency=medium
[ Lukas Märdian ]
* Backport snap handling for ubuntu-bug from Groovy (LP: #1861082)
* Build-depend on python3-requests-unixsocket.
[ Brian Murray ]
* data/dump_acpi_tables.py: update the output thanks to Alex Hung for the
patch. (LP: #1883027)
-- Brian Murray <email address hidden> Wed, 24 Jun 2020 09:57:22 -0700
-
apport (2.20.11-0ubuntu27.3) focal; urgency=medium
* apport_python_hook.py: if python apt modules are not built for the python
version then do capture the crash. (LP: #1774843)
* apport/report.py: If the user is not a part of any system groups then
set UserGroups to 'N/A'. (LP: #1427600)
-- Brian Murray <email address hidden> Mon, 01 Jun 2020 09:44:37 -0700
-
apport (2.20.11-0ubuntu27.2) focal; urgency=medium
* gtk/apport-gtk: upgrade regular expression used to match URLs in free text
(LP: #1871185)
apport (2.20.11-0ubuntu27.1) focal; urgency=medium
* debian/apport.install: Add in a source package hook for linux-meta-raspi
which provides linux-raspi and linux-raspi2. (LP: #1876952)
* data/general-hooks/ubuntu.py: collect ImageMediaBuild information which
exists on preinstalled RPi images. (LP: #1876945)
* Add in a source package hook symlink for linux-firmware. (LP: #1872059)
* debian/tests/control: Depend on python3-twisted, not python-twisted-core
-- Brian Murray <email address hidden> Tue, 12 May 2020 15:34:22 -0700
-
apport (2.20.11-0ubuntu27) focal; urgency=medium
* backends/packaging-apt-dpkg.py, apport/sandboxutils.py: Add modifications
to the retracing process to resolve failures to retrace due to user merge
changes.
* etc/apport/crashdb.conf: Disable Launchpad crash reports for 20.04
release.
-- Brian Murray <email address hidden> Wed, 15 Apr 2020 17:01:49 -0700
-
apport (2.20.11-0ubuntu26) focal; urgency=medium
* apport/hookutils.py, data/general-hooks/ubuntu.py: Add in a hook which
will add the results of the casper-md5check to all bug reports.
(LP: #1870408)
-- Brian Murray <email address hidden> Wed, 08 Apr 2020 15:46:56 -0700
-
apport (2.20.11-0ubuntu25) focal; urgency=medium
[ Brian Murray ]
* apport/hookutils.py: Add in "lspci -vt" output for the HWE team.
[ Dimitri John Ledkov ]
* data/general-hooks/powerpc.py: Hande reports without a package, such
as against subiquity snap, otherwise the hook crashes subiquity, which
is trying to generate a crash report. LP: #1871434
* data/package-hooks/subiquity.py: Fix typpo in subiquity hook, readline
from fp, not from filename.
-- Dimitri John Ledkov <email address hidden> Tue, 07 Apr 2020 20:04:10 +0100
-
apport (2.20.11-0ubuntu24) focal; urgency=medium
* bin/apport-unpack: Handle gzip'ed files, thanks to Yuan-Chen Cheng for the
patch. (LP: #1859581)
-- Brian Murray <email address hidden> Fri, 03 Apr 2020 10:38:06 -0700
-
apport (2.20.11-0ubuntu23) focal; urgency=medium
* With Michael Hudson-Doyle add a package hook to allow subiquity problems
to be reported from the installed system and about the subuquity project.
-- Brian Murray <email address hidden> Fri, 03 Apr 2020 09:33:54 -0700
-
apport (2.20.11-0ubuntu22) focal; urgency=medium
* SECURITY UPDATE: World writable root owned lock file created in user
controllable location (LP: #1862348)
- data/apport: Change location of lock file to be directly under
/var/run so that regular users can not directly access it or perform
symlink attacks.
- CVE-2020-8831
* SECURITY UPDATE: Race condition between report creation and ownership
(LP: #1862933)
- data/apport: When setting owner of report file use a file-descriptor
to the report file instead of its path name to ensure that users can
not cause Apport to change the ownership of other files via a
symlink attack.
- CVE-2020-8833
-- Alex Murray <email address hidden> Wed, 25 Mar 2020 11:28:58 +1030
-
apport (2.20.11-0ubuntu21) focal; urgency=medium
[ Brian Murray ]
* backends/packaging-apt-dpkg.py: allow mirrors which are accessed via https
in sources.list. Thanks to Launchpad user Esokrates for the fix.
(LP: #1866996)
* backends/packaging-apt-dpkg.py: when downloading packages from Launchpad
do not require them to be authenticated.
* test/test_backend_apt_dpkg.py: Fix check for connectivity and modify
install from PPA test for a change in the PPA being tested.
[ Matthieu Clemenceau ]
* test/test_ui.py: Removed linux package version to fix autopkgtest with
focal. Changed linux-5.4 and linux-signed-5.4 to linux and linux-signed
-- Brian Murray <email address hidden> Thu, 12 Mar 2020 15:46:30 -0700
-
apport (2.20.11-0ubuntu20) focal; urgency=medium
* test/test_report.py: resolve test failure with new glibc output.
-- Brian Murray <email address hidden> Tue, 10 Mar 2020 08:41:28 -0700
-
apport (2.20.11-0ubuntu19) focal; urgency=medium
* apport/report.py: do not return a duplicate signature when we are unable
to access ProcMaps as that is necessary to create one. (LP: #1866347)
* apport/ui.py: Always allow users to use ubuntu-bug or apport-collect
regardless of the Problem Reporting setting as they are manually invoked
and not automatically generated like a crash report. (LP: #1814611)
-- Brian Murray <email address hidden> Mon, 09 Mar 2020 15:18:42 -0700
-
apport (2.20.11-0ubuntu18) focal; urgency=medium
* data/whoopsie-upload-all: append to the crash report using fdopen and open
from os to cope with protected_regular being set to 1. (LP: #1848064)
-- Brian Murray <email address hidden> Sat, 22 Feb 2020 06:56:37 -0800
-
apport (2.20.11-0ubuntu17) focal; urgency=medium
[ Brian Murray ]
* Add in a source package hook symlinks for linux-signed-5.4,
linux-signed-oem-5.4, linux-oem-5.4, and linux-5.4. (LP: #1861446)
* Remove obsolete package hook for Nexus 7 devices.
[ Tiago Stürmer Daitx ]
* Fix Python 2/3 support. (LP: #1853383)
-- Brian Murray <email address hidden> Fri, 21 Feb 2020 13:16:54 -0800
-
apport (2.20.11-0ubuntu16) focal; urgency=medium
* SECURITY REGRESSION: 'module' object has no attribute 'O_PATH'
(LP: #1851806)
- apport/report.py, apport/ui.py: use file descriptors for /proc/pid
directory access only when running under python 3; prevent reading /proc
maps under python 2 as it does not provide a secure way to do so; use
io.open for better compatibility between python 2 and 3.
* data/apport: fix number of arguments passed through socks into a container.
* test/test_report.py: test login session with both pid and proc_pid_fd.
-- Tiago Stürmer Daitx <email address hidden> Mon, 06 Jan 2020 13:28:40 +0000
-
apport (2.20.11-0ubuntu15) focal; urgency=medium
* etc/apport/crashdb.conf: Enable Launchpad crash reports for focal.
-- Brian Murray <email address hidden> Fri, 20 Dec 2019 10:35:17 -0800
-
apport (2.20.11-0ubuntu14) focal; urgency=medium
* apport/report.py, test/test_report.py: handle the fact that gdb now
returns a different error message for truncated core files in some cases.
* bin/oem-getlogs: add in script for getting hardware enablement related
logs. Thanks to Yuan-Chen Cheng for the code. (LP: #1841157)
* apport/hookutils.py: also gather lsusb -v and lsusb -t. Thanks to
Yuan-Chen Cheng for the patch.
* bin/oem-getlogs: Various pep8 / pyflakes fixes.
-- Brian Murray <email address hidden> Fri, 13 Dec 2019 08:41:58 -0800
-
apport (2.20.11-0ubuntu13) focal; urgency=medium
[ Brian Murray ]
* Create additional symlinks to the source_linux.py apport package hook for
many OEM kernels. Thanks to You-Sheng Yang for the patch. (LP: #1847967)
[ Michael Hudson-Doyle ]
* Fix autopkgtest failures since recent security update: (LP: #1854237)
- Fix regression in creating report for crashing setuid process by getting
kernel to tell us the executable path rather than reading
/proc/[pid]/exe.
- Fix deletion of partially written core files.
- Fix test_get_logind_session to use new API.
- Restore add_proc_info raising ValueError for a dead process.
- Delete test_lock_symlink, no longer applicable now that the lock is
created in a directory only root can write to.
-- Michael Hudson-Doyle <email address hidden> Fri, 06 Dec 2019 08:57:09 +1300
-
apport (2.20.11-0ubuntu12) focal; urgency=medium
[ Steve Langasek ]
* Drop python2 bindings.
[ Tiago Stürmer Daitx ]
* debian/control: point VCS to focal repository.
-- Steve Langasek <email address hidden> Tue, 03 Dec 2019 10:46:40 -0800
-
apport (2.20.11-0ubuntu11) focal; urgency=medium
* SECURITY REGRESSION: missing argument in Report.add_proc_environ
call (LP: #1850929)
- apport/report.py: call add_proc_environ using named arguments
and move proc_pid_dir keyword to last to keep api compatibility.
-- Tiago Stürmer Daitx <email address hidden> Tue, 05 Nov 2019 02:49:27 +0000
-
apport (2.20.11-0ubuntu10) focal; urgency=medium
* SECURITY UPDATE: apport reads arbitrary files if ~/.config/apport/settings
is a symlink (LP: #1830862)
- apport/fileutils.py: drop permissions before reading user settings file.
- CVE-2019-11481
* SECURITY UPDATE: TOCTTOU race conditions and following symbolic
links when creating a core file (LP: #1839413)
- data/apport: use file descriptor to reference to cwd instead
of strings.
- CVE-2019-11482
* SECURITY UPDATE: fully user controllable lock file due to lock file
being located in world-writable directory (LP: #1839415)
- data/apport: create and use lock file from /var/lock/apport.
- CVE-2019-11485
* SECURITY UPDATE: per-process user controllable Apport socket file
(LP: #1839420)
- data/apport: forward crashes only under a valid uid and gid,
thanks Stéphane Graber for the patch.
- CVE-2019-11483
* SECURITY UPDATE: PID recycling enables an unprivileged user to
generate and read a crash report for a privileged process (LP: #1839795)
- data/apport: drop permissions before adding proc info (special thanks
to Kevin Backhouse for the patch)
- data/apport, apport/report.py, apport/ui.py: only access or open
/proc/[pid] through a file descriptor for that directory.
- CVE-2019-15790
-- Tiago Stürmer Daitx <email address hidden> Tue, 29 Oct 2019 05:23:08 +0000
-
apport (2.20.11-0ubuntu9) focal; urgency=medium
* Use an SRU-safe substring when checking for the available version of
aspell-doc in xenial, since aspell *did* have an SRU.
-- Steve Langasek <email address hidden> Tue, 22 Oct 2019 14:07:14 -0700
-
apport (2.20.11-0ubuntu8) eoan; urgency=medium
* Removed general hook which would gather information about click packages.
* data/package-hooks/source_ubiquity: pass on a KeyError when adding
installation logs.
* etc/apport/crashdb.conf: Disable Launchpad crash reports for 19.04
release.
-- Brian Murray <email address hidden> Wed, 09 Oct 2019 14:23:27 -0700
