CVE-2016-9949

Published: 14 December 2016

An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers to execute arbitrary Python code.

From the Ubuntu Security Team

Donncha O Cearbhaill discovered that the crash file parser in Apport improperly treated the CrashDB field as python code. An attacker could use this to convince a user to open a maliciously crafted crash file and execute arbitrary code with the privileges of that user.

Notes

Author	Note
sbeattie	precise not affected

Priority

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package	Release	Status
apport Launchpad, Ubuntu, Debian	precise	Not vulnerable
	trusty	Released (2.14.1-0ubuntu3.23)
	upstream	Needs triage
	xenial	Released (2.20.1-0ubuntu2.4)
	yakkety	Released (2.20.3-0ubuntu8.2)
	zesty	Not vulnerable (2.20.4-0ubuntu1)

Severity score breakdown

Parameter	Value
Base score	7.8
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Bugs

https://bugs.launchpad.net/bugs/1648806

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›