abrt, btparser, libreport security update

CentOS Errata and Security Advisory CESA-2012:0841

ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality. libreport provides an API for reporting different problems
in applications to different bug targets, such as Bugzilla, FTP, and Trac.

The btparser utility is a backtrace parser and analyzer library, which
works with backtraces produced by the GNU Project Debugger. It can parse a
text file with a backtrace to a tree of C structures, allowing to analyze
the threads and frames of the backtrace and process them.

The python-meh package provides a python library for handling exceptions.

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package
installed and the abrt-ccpp service running), and the sysctl
fs.suid_dumpable option was set to “2” (it is “0” by default), core dumps
of set user ID (setuid) programs were created with insecure group ID
permissions. This could allow local, unprivileged users to obtain sensitive
information from the core dump files of setuid processes they would
otherwise not be able to access. (CVE-2012-1106)

ABRT did not allow users to easily search the collected crash information
for sensitive data prior to submitting it. This could lead to users
unintentionally exposing sensitive information via the submitted crash
reports. This update adds functionality to search across all the collected
data. Note that this fix does not apply to the default configuration, where
reports are sent to Red Hat Customer Support. It only takes effect for
users sending information to Red Hat Bugzilla. (CVE-2011-4088)

Red Hat would like to thank Jan Iven for reporting CVE-2011-4088.

These updated packages include numerous bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.3 Technical Notes for information on the
most significant of these changes.

All users of abrt, libreport, btparser, and python-meh are advised to
upgrade to these updated packages, which correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2012-July/080870.html

Affected packages:
abrt
abrt-addon-ccpp
abrt-addon-kerneloops
abrt-addon-python
abrt-addon-vmcore
abrt-cli
abrt-desktop
abrt-devel
abrt-gui
abrt-libs
abrt-tui
btparser
btparser-devel
btparser-python
libreport
libreport-cli
libreport-devel
libreport-gtk
libreport-gtk-devel
libreport-newt
libreport-plugin-bugzilla
libreport-plugin-kerneloops
libreport-plugin-logger
libreport-plugin-mailx
libreport-plugin-reportuploader
libreport-plugin-rhtsupport
libreport-python

Upstream details at:
https://access.redhat.com/errata/RHSA-2012:0841