5.3. abrt, libreport, btparser, and python-meh

Updated abrt, libreport, btparser, and python-meh packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
ABRT is a tool to help users to detect defects in applications and to create a problem report with all the information needed by a maintainer to fix it. It uses a plug-in system to extend its functionality. libreport provides an API for reporting different problems in applications to different bug targets like Bugzilla, ftp, and trac.
The btparser utility is a backtrace parser and analyzer library, which works with backtraces produced by the GNU Project Debugger. It can parse a text file with a backtrace to a tree of C structures, allowing to analyze the threads and frames of the backtrace and process them.
The python-meh package provides a python library for handling exceptions.


The abrt package has been upgraded to upstream version 2.0.8-1, which provides a number of bug fixes over the previous version. (BZ#759375)
The libreport package has been upgraded to upstream version 2.0.9-1, which provides a number of bug fixes over the previous version. (BZ#759377)
The btparser package has been upgraded to upstream version 0.16-1, which provides a number of bug fixes over the previous version. (BZ#768377)

Security Fixes

If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package installed and the abrt-ccpp service running), and the sysctl fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps of set user ID (setuid) programs were created with insecure group ID permissions. This could allow local, unprivileged users to obtain sensitive information from the core dump files of setuid processes they would otherwise not be able to access.
ABRT did not allow users to easily search the collected crash information for sensitive data prior to submitting it. This could lead to users unintentionally exposing sensitive information via the submitted crash reports. This update adds functionality to search across all the collected data. Note that this fix does not apply to the default configuration, where reports are sent to Red Hat Customer Support. It only takes effect for users sending information to Red Hat Bugzilla.
Red Hat would like to thank Jan Iven for reporting CVE-2011-4088.

Bug Fixes

BZ#809587, BZ#745976
When the ABRT GUI was used to report a bug using the menu button Report problem with ABRT, an empty bug was created. This update removes this button as it was only used for testing purposes.
When a new dump directory was saved to /var/spool/abrt-upload/ via the reporter-upload utility, the ABRT daemon copied the dump directory to /var/spool/abrt/ and incremented the crash count which was already incremented before. Due to the crash count being incremented twice, the dump directory was marked as a duplicate of itself and removed. With this update, the crash count is no longer incremented for remotely uploaded dump directories, thus fixing the issue.
The /usr/bin/abrt-cli utility was missing a man page. This update adds the abrt-cli(1) man page.
Analyzing lines of a kernel oops caused the line variable to be freed twice. This update fixes this bug, and kernel oopses are now properly analyzed.
Prior to this update, ABRT email notification via the mailx plug-in did not function properly due to a missing default configuration file for the mailx plug-in. This update adds a default configuration file for the mailx plug-in: /etc/libreport/plugins/mailx.conf.
Starting the ABRT daemon resulted in an error if dbus was not installed on the system. This update removes the dbus dependency and the ABRT daemon can now be started even if dbus is not installed on the system.
The previous version of ABRT silently allowed users to report the same problem to Bugzilla multiple times. This behavior is now changed and users are warned if the report was already submitted. The max allowed size of email attachments and local logs was increased to 1 MB. This fixes the problem where longer reports were being lost when sent via email or stored locally using the logger plug-in.
This update fixes a bug which caused the /tmp/anaconda-tb-* files to be sometimes recognized as a binary file and sometimes as a text file.
ABRT 2.x has added various new daemons. However, not all of the added daemons were properly enabled during the transition from ABRT 1.x. With this update, all daemons are correctly started and updating from ABRT 1.x to ABRT 2.x works as expected.
The abrt-cli package previously depended on the abrt-addon-python package. This prevented users from removing the abrt-addon-python package via Yum as the abrt-cli would be removed as well. With this update, a new virtual abrt-tui package has been added that pulls all the required packages in order to use ABRT on the command line, thus, resolving the aforementioned issue.
Previously, some strings in the ABRT tools were not marked as translatable. This update fixes this issue.
When ABRT attempted to move data, a misleading message was returned to the user informing that a copy of the dump was created. This update improves this message so that it is clear that ABRT does not copy data but moves it.
When a backtrace contains a frame with text consisting of function arguments that was too long, the backtrace printer in GDB truncates the arguments. The backtrace parser could not handle the truncated arguments and did not format them properly. With this update, the backtrace parser detects the truncated strings, indicating the function arguments were truncated. The parser state then adapts to this situation and correctly parses the backtrace.
A change in the Bugzilla API prevented the ABRT bugzilla plug-in from working correctly. This update resolves this issue by modifying the source code to work with the new Bugzilla API.
This update fixes a typographical error in the commentary of various ABRT configuration files.
The previous version of ABRT generated an invalid XML log file. This update fixes this and every non-ASCII character is now escaped.
Unlike ABRT, python-meh was not including a list of environment variables in its problem reports. A list of environment variables is useful information for assignees of the created bug. With this update, code producing a list of environment variables and passing it to libreport was added to python-meh, and problem reports generated by python-meh now include lists of environment variables.
All users of abrt, libreport, btparser, and python-meh are advised to upgrade to these updated packages, which contain backported patches to correct these issues.