Canonical Apport

Apport Crash Reporter: Incorrect Group Ownership Exposure
CVE-2025-5467 - December 10, 2025

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Incorrect Ownership Assignment

Race Condition in Canonical Apport 2.32.0 leaks info via PID reuse
CVE-2025-5054 4.7 - Medium - May 30, 2025

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

Race Condition

apport Crash Reporter: Unlimited /var/crash Disk Consumption Vulnerability
CVE-2022-28653 - January 31, 2025

Users can consume unlimited disk space in /var/crash

Apport Argument Parsing Filename Splitting Spoofing on Older Kernels
CVE-2022-28658 5.5 - Medium - June 04, 2024

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

Apport: is_closing_session() leaks RAM
CVE-2022-28656 5.5 - Medium - June 04, 2024

is_closing_session() allows users to consume RAM in the Apport process

Allocation of Resources Without Limits or Throttling

Apport is_closing_session() DoS via log overflow
CVE-2022-28654 5.5 - Medium - June 04, 2024

is_closing_session() allows users to fill up apport.log

Allocation of Resources Without Limits or Throttling

Apport Settings Parser Vulnerable to Billion Laughs Attack
CVE-2022-28652 5.5 - Medium - June 04, 2024

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

XEE

Privilege Escalation via apport-cli 2.26.0 and earlier on sudo
CVE-2023-1326 7.8 - High - April 13, 2023

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

Improper Privilege Management

It was discovered that the process_report() function in data/whoopsie-upload-all
CVE-2021-32557 7.1 - High - June 12, 2021

It was discovered that the process_report() function in data/whoopsie-upload-all allowed arbitrary file writes via symlinks.

insecure temporary file

It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py
CVE-2021-32556 3.3 - Low - June 12, 2021

It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call.

Shell injection

It was discovered that apport in data/apport did not properly open a report file to prevent hanging reads on a FIFO.
CVE-2021-25684 7.8 - High - June 11, 2021

It was discovered that apport in data/apport did not properly open a report file to prevent hanging reads on a FIFO.

Improper Input Validation

It was discovered that the get_starttime() function in data/apport did not properly parse the /proc/pid/stat file
CVE-2021-25683 7.8 - High - June 11, 2021

It was discovered that the get_starttime() function in data/apport did not properly parse the /proc/pid/stat file from the kernel.

Improper Input Validation

It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file
CVE-2021-25682 7.8 - High - June 11, 2021

It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel.

Injection

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory
CVE-2020-8831 6.5 - Medium - April 22, 2020

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Creation of Temporary File in Directory with Insecure Permissions

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport
CVE-2020-8833 5.6 - Medium - April 22, 2020

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

TOCTTOU