Low: abrt, libreport, btparser, and python-meh security and bug fix update
Security Advisory: Low
Updated abrt, libreport, btparser, and python-meh packages that fix two
security issues and several bugs are now available for Red Hat Enterprise
Linux 6.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality. libreport provides an API for reporting different problems
in applications to different bug targets, such as Bugzilla, FTP, and Trac.
The btparser utility is a backtrace parser and analyzer library, which
works with backtraces produced by the GNU Project Debugger. It can parse a
text file with a backtrace to a tree of C structures, allowing to analyze
the threads and frames of the backtrace and process them.
The python-meh package provides a python library for handling exceptions.
If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access. (CVE-2012-1106)
ABRT did not allow users to easily search the collected crash information
for sensitive data prior to submitting it. This could lead to users
unintentionally exposing sensitive information via the submitted crash
reports. This update adds functionality to search across all the collected
data. Note that this fix does not apply to the default configuration, where
reports are sent to Red Hat Customer Support. It only takes effect for
users sending information to Red Hat Bugzilla. (CVE-2011-4088)
Red Hat would like to thank Jan Iven for reporting CVE-2011-4088.
These updated packages include numerous bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.3 Technical Notes for information on the
most significant of these changes.
All users of abrt, libreport, btparser, and python-meh are advised to
upgrade to these updated packages, which correct these issues.
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
Vulmon