Bug 1155478 - (CVE-2019-11481) VUL-1: CVE-2019-11481: apport: local denial of service via arbitrary user-controlled settings
(CVE-2019-11481)
VUL-1: CVE-2019-11481: apport: local denial of service via arbitrary user-con...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/246066/
CVSSv3:SUSE:CVE-2019-11481:4.4:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-30 16:22 UTC by Alexander Bergmann
Modified: 2020-06-09 19:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-10-30 16:22:20 UTC
CVE-2019-11481

Apport reads the potentially arbitrary user-controlled settings file as the
root user.

References:
https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11481
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11481.html
Comment 1 Matej Cepl 2020-06-09 15:59:30 UTC
I am not sure we can do anything about this issue in the given time and effort spent on it. We have in SLE-11 (the only distro where we have apport) apport-0.114-rev1189, whereas upstream (https://launchpad.net/apport) is on 2.20.4 (rev3266).

There is no proper analysis of the issue at https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862, nor there is anywhere clear indication of the patch which fixes it.

My suggestion is WONTFIX, because fixing this would probably require much more work than we are willing to spent on it.