Bugzilla – Bug 1155478
VUL-1: CVE-2019-11481: apport: local denial of service via arbitrary user-controlled settings
Last modified: 2024-05-06 12:05:55 UTC
CVE-2019-11481 Apport reads the potentially arbitrary user-controlled settings file as the root user. References: https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11481 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11481.html
I am not sure we can do anything about this issue in the given time and effort spent on it. We have in SLE-11 (the only distro where we have apport) apport-0.114-rev1189, whereas upstream (https://launchpad.net/apport) is on 2.20.4 (rev3266). There is no proper analysis of the issue at https://bugs.launchpad.net/ubuntu/%2Bsource/apport/%2Bbug/1830862, nor there is anywhere clear indication of the patch which fixes it. My suggestion is WONTFIX, because fixing this would probably require much more work than we are willing to spent on it.
apport and apport-crashdb-sle are unsupported now. Closing