An issue exists in Apport prior to 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote malicious users to execute arbitrary Python code.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apport project apport |
||
canonical ubuntu linux |
To everyone else, get patching
Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws. Researcher Donncha O'Cearbhaill, who discovered and privately reported the vulnerabilities to the Ubuntu team, said that a successful exploit of the bugs could allow an attacker to remotely execute code by tricking a victim into downloading a maliciously booby-trapped file. The exploitable flaws are present in Ubuntu 12.10 and greater. He notes that while...