Comment 3 for bug 1004503

Revision history for this message
Michael Vogt (mvo) wrote : Re: [Bug 1004503] Re: Incomplete fix for CVE-2012-0949

On Fri, May 25, 2012 at 01:47:26PM -0000, Marc Deslauriers wrote:
> Michael,
Hi,

> Do you have an idea of the best way to fix this?

Urgh, nasty! Here is a potential fix:
=== modified file 'DistUpgrade/DistUpgradeApport.py'
--- DistUpgrade/DistUpgradeApport.py 2011-08-29 17:11:26 +0000
+++ DistUpgrade/DistUpgradeApport.py 2012-05-25 14:13:17 +0000
@@ -27,6 +27,9 @@
             f = os.path.join("/var/log/dist-upgrade",fname)
             if not os.path.isfile(f) or os.path.getsize(f) == 0:
                 continue
+ # never include system-state data
+ if "system_state" in f:
+ continue
             report[f.replace(".","").replace("-","")] = (open(f), )
         report.add_to_existing('/var/crash/_usr_bin_update-manager.0.crash')
     return True

But let me actually sit down and write a test case before it gets
commited.

Cheers,
 Michael

> Thanks!
>
> ** Changed in: update-manager (Ubuntu Natty)
> Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
>
> ** Changed in: update-manager (Ubuntu Oneiric)
> Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
>
> ** Changed in: update-manager (Ubuntu Precise)
> Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
>
> ** Changed in: update-manager (Ubuntu Natty)
> Importance: Undecided => High
>
> ** Changed in: update-manager (Ubuntu Oneiric)
> Importance: Undecided => High
>
> ** Changed in: update-manager (Ubuntu Precise)
> Importance: Undecided => High
>
> ** Changed in: update-manager (Ubuntu Quantal)
> Importance: Undecided => High
>
> ** Changed in: update-manager (Ubuntu Quantal)
> Assignee: (unassigned) => Michael Vogt (mvo)
>
> ** Changed in: update-manager (Ubuntu Natty)
> Status: New => Confirmed
>
> ** Changed in: update-manager (Ubuntu Oneiric)
> Status: New => Confirmed
>
> ** Changed in: update-manager (Ubuntu Precise)
> Status: New => Confirmed
>
> ** Changed in: update-manager (Ubuntu Quantal)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1004503
>
> Title:
> Incomplete fix for CVE-2012-0949
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1004503/+subscriptions