O'Cearbhaill: Reliably compromising Ubuntu desktops by attacking the crash reporter

Donncha O'Cearbhaill hasdiscovered that Ubuntu's "apport" tool, which handles application crashdata, passes arbitrary data to the Python eval() function.There are a couple of other vulnerabilities as well, making it possible tofully compromise a system. The bugs (now known as CVE-2016-9949,CVE-2016-9950, and CVE-2016-9951) have been fixed; applying the updates ishighly recommended for Ubuntu users. "The computer security industryhas a serious conflict of interest right now. There is major financialmotivation for researchers to find and disclose vulnerability to exploitbrokers. Many of the brokers are in the business of keeping problemsunfixed. Code execution bugs are valuable. As a data point, I received anoffer of more than 10,000 USD from an exploit vendor for these Apportbugs."