Apportproject Apport
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apportproject Apport.
By the Year
In 2026 there have been 0 vulnerabilities in Apportproject Apport. Apport did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 6 | 6.15 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 7 | 4.93 |
It may take a day or so for new Apport vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apportproject Apport Security Vulnerabilities
Apport Argument Parsing Filename Splitting Spoofing on Older Kernels
CVE-2022-28658
5.5 - Medium
- June 04, 2024
Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing
Apport Fails to Disable Python Crash Handler Before Chroot
CVE-2022-28657
7.8 - High
- June 04, 2024
Apport does not disable python crash handler before entering chroot
Apport: is_closing_session() leaks RAM
CVE-2022-28656
5.5 - Medium
- June 04, 2024
is_closing_session() allows users to consume RAM in the Apport process
Allocation of Resources Without Limits or Throttling
Linux D-Bus arbitrary TCP via is_closing_session()
CVE-2022-28655
7.1 - High
- June 04, 2024
is_closing_session() allows users to create arbitrary tcp dbus connections
Allocation of Resources Without Limits or Throttling
Apport is_closing_session() DoS via log overflow
CVE-2022-28654
5.5 - Medium
- June 04, 2024
is_closing_session() allows users to fill up apport.log
Allocation of Resources Without Limits or Throttling
Apport Settings Parser Vulnerable to Billion Laughs Attack
CVE-2022-28652
5.5 - Medium
- June 04, 2024
~/.config/apport/settings parsing is vulnerable to "billion laughs" attack
XEE
Apport reads and writes information on a crashed process to /proc/pid with elevated privileges
CVE-2019-15790
3.3 - Low
- April 28, 2020
Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.
Improper Privilege Management
Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory
CVE-2020-8831
6.5 - Medium
- April 22, 2020
Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.
Creation of Temporary File in Directory with Insecure Permissions
Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport
CVE-2020-8833
5.6 - Medium
- April 22, 2020
Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.
TOCTTOU
Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges
CVE-2019-11481
7.8 - High
- February 08, 2020
Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences.
insecure temporary file
Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport
CVE-2019-11482
4.7 - Medium
- February 08, 2020
Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories.
TOCTTOU
Sander Bos discovered Apport mishandled crash dumps originating from containers
CVE-2019-11483
3.3 - Low
- February 08, 2020
Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user.
Sander Bos discovered Apport's lock file was in a world-writable directory which
CVE-2019-11485
3.3 - Low
- February 08, 2020
Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apportproject Apport or by Apportproject? Click the Watch button to subscribe.
