USN-3480-2: Apport regressions

20 November 2017

USN-3480-1 introduced regressions in Apport.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • apport - automatically generate crash reports for debugging

Details

USN-3480-1 fixed vulnerabilities in Apport. The fix for CVE-2017-14177
introduced a regression in the ability to handle crashes for users that
configured their systems to use the Upstart init system in Ubuntu 16.04
LTS and Ubuntu 17.04. The fix for CVE-2017-14180 temporarily disabled
crash forwarding to containers. This update addresses the problems.

We apologize for the inconvenience.

Original advisory details:

Sander Bos discovered that Apport incorrectly handled core dumps for setuid
binaries. A local attacker could use this issue to perform a denial of service
via resource exhaustion or possibly gain root privileges. (CVE-2017-14177)

Sander Bos discovered that Apport incorrectly handled core dumps for processes
in a different PID namespace. A local attacker could use this issue to perform
a denial of service via resource exhaustion or possibly gain root privileges.
(CVE-2017-14180)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 17.10
Ubuntu 17.04
Ubuntu 16.04

In general, a standard system update will make all the necessary changes.