Bug 1155478 (CVE-2019-11481)

Summary: VUL-1: CVE-2019-11481: apport: local denial of service via arbitrary user-controlled settings
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/246066/
Whiteboard: CVSSv3:SUSE:CVE-2019-11481:4.4:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-10-30 16:22:20 UTC
CVE-2019-11481

Apport reads the potentially arbitrary user-controlled settings file as the
root user.

References:
https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11481
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11481.html
Comment 1 Matej Cepl 2020-06-09 15:59:30 UTC
I am not sure we can do anything about this issue in the given time and effort spent on it. We have in SLE-11 (the only distro where we have apport) apport-0.114-rev1189, whereas upstream (https://launchpad.net/apport) is on 2.20.4 (rev3266).

There is no proper analysis of the issue at https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862, nor there is anywhere clear indication of the patch which fixes it.

My suggestion is WONTFIX, because fixing this would probably require much more work than we are willing to spent on it.