Bug 991604 (CVE-2013-4209)

Summary: CVE-2013-4209 ABRT: (substantially) limited leak of unauthorized information
Product: [Other] Security Response Reporter: Jan Pokorný [poki] <jpokorny>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, mmilata, security-response-team, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: abrt 2.1.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-06 09:12:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 994418    
Bug Blocks: 994278    

Comment 4 Vincent Danen 2013-08-06 23:53:30 UTC 
A flaw was found in abrt, where a local attacker could obtain the SHA1SUM of a file they should have no access to.

Acknowledgements:

This issue was discovered by Jan Pokorný of Red Hat.
Comment 6 Vincent Danen 2013-08-06 23:57:13 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of abrt as shipped with Red Hat Enterprise Linux 6.
Comment 15 Stefan Cornelius 2013-09-06 09:12:43 UTC 
Time to open this up.

We now ship the fixed version 2.1.6 on all previously affected products.
Comment 17 Martin Milata 2013-09-26 15:22:05 UTC 
In upstream commit https://github.com/abrt/abrt/commit/776209bd00b0dd16d02dd20fdb14eecbb6b9fa18 the format of core backtraces changed significantly. Source file hashes are no longer included for python exception reports.