Apportproject Apport

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges

CVE-2019-15790 3.3 - Low - April 28, 2020

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.

Improper Privilege Management

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory

CVE-2020-8831 5.5 - Medium - April 22, 2020

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

insecure temporary file

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport

CVE-2020-8833 4.7 - Medium - April 22, 2020

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

TOCTTOU

Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges

CVE-2019-11481 7.8 - High - February 08, 2020

Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences.

insecure temporary file

Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport

CVE-2019-11482 4.7 - Medium - February 08, 2020

Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories.

TOCTTOU

Sander Bos discovered Apport mishandled crash dumps originating from containers

CVE-2019-11483 3.3 - Low - February 08, 2020

Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user.

Sander Bos discovered Apport's lock file was in a world-writable directory which

CVE-2019-11485 3.3 - Low - February 08, 2020

Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.