CVE-2016-9950

Priority
Description
An issue was discovered in Apport before 2.20.4. There is a path traversal
issue in the Apport crash file "Package" and "SourcePackage" fields. These
fields are used to build a path to the package specific hook files in the
/usr/share/apport/package-hooks/ directory. An attacker can exploit this
path traversal to execute arbitrary Python files from the local system.
Ubuntu-Description
Donncha O Cearbhaill discovered that Apport did not properly sanitize
the Package and SourcePackage fields in crash files before processing
package specific hooks. An attacker could use this to convince a
user to open a maliciously crafted crash file and execute arbitrary
code with the privileges of that user.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was released [2.0.1-0ubuntu17.15])
Ubuntu 14.04 ESM (Trusty Tahr):released (2.14.1-0ubuntu3.23)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.20.1-0ubuntu2.4)
More Information

Updated: 2019-12-05 18:46:52 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)