Incomplete fix for CVE-2012-0949
Bug #1004503 reported by
Marc Deslauriers
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-manager (Ubuntu) |
Fix Released
|
High
|
Brian Murray | ||
Natty |
Fix Released
|
High
|
Marc Deslauriers | ||
Oneiric |
Fix Released
|
High
|
Marc Deslauriers | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
Quantal |
Fix Released
|
High
|
Brian Murray |
Bug Description
The following USN fixed CVE-2012-0949:
http://
"Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when reporting
bugs. This could possibly result in repository credentials being included
in public bug reports."
This was originally LP #954483
Unfortunately, the state archive files are still being uploaded. It seems there is code in DistUpgradeAppo
apport_crash() can be simply modified to exclude the archive files, but fixing apport_pkgfailure() is more complicated.
Related branches
visibility: | private → public |
tags: | added: patch |
Changed in update-manager (Ubuntu Oneiric): | |
assignee: | Marc Deslauriers (mdeslaur) → jorge (jorgemonclova) |
Changed in update-manager (Ubuntu Oneiric): | |
assignee: | jorge (jorgemonclova) → Marc Deslauriers (mdeslaur) |
To post a comment you must log in.
Michael,
Do you have an idea of the best way to fix this?
Thanks!