6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
9.7%
ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets, such as Bugzilla, FTP, and Trac. It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user. (CVE-2012-5659) A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root. (CVE-2012-5660) Red Hat would like to thank Martin Carpenter of Citco for reporting the CVE-2012-5660 issue. CVE-2012-5659 was discovered by Miloslav TrmaÄ of Red Hat. All users of abrt and libreport are advised to upgrade to these updated packages, which correct these issues.
CPE | Name | Operator | Version |
---|---|---|---|
abrt | eq | 2.0.4__14.el6 | |
abrt | eq | 1.1.16__3.el6 | |
abrt | eq | 1.1.13__4.el6 | |
libreport | eq | 2.0.5__20.el6 | |
abrt | eq | 2.0.4__14.el6 | |
abrt | eq | 1.1.16__3.el6 | |
abrt | eq | 1.1.13__4.el6 | |
libreport | eq | 2.0.5__20.el6 |
git.fedorahosted.org/cgit/libreport.git/commit/?id=3bbf961b1884dd32654dd39b360dd78ef294b10a
rhn.redhat.com/errata/RHSA-2013-0215.html
access.redhat.com/errata/RHSA-2013:0215
access.redhat.com/security/cve/CVE-2012-5660
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=887866
rhn.redhat.com/errata/RHSA-2013-0215.html