[Bug 1877023] Re: Unhandled exception in check_ignored()

Launchpad Bug Tracker 1877023 at bugs.launchpad.net
Tue Aug 4 16:58:15 UTC 2020 

This bug was fixed in the package apport - 2.20.11-0ubuntu27.6

---------------
apport (2.20.11-0ubuntu27.6) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)
  * WARNING: This package does _not_ contain the changes from
    2.20.11-0ubuntu27.5 in focal-proposed.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Fri, 31 Jul 2020
09:10:30 -0400

** Changed in: apport (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11936

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15702

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1877023

Title:
  Unhandled exception in check_ignored()

Status in Apport:
  New
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Hi,

  I have found a security issue on apport 2.20.11 and earlier.

  ## Vulnerability 
  apport 2.20.11 and earlier have an unhandled exception vulnerability during parsing apport-ignore.xml.
  An attacker can cause a denial of service (i.e., application crash) via a crafted apport-ignore.xml file.

  ## Description
  Reports can be suppressed by blacklisting in apport-ignore.xml.

  This is an example of apport-ignore.xml

  <?xml version="1.0" ?>
  <apport>
    <ignore mtime="1461374304" program="/opt/sublime_text/sublime_text"/>
    <ignore mtime="1453471676" program="/bin/sleep"/>
    <ignore mtime="1452699271" program="/usr/bin/strace"/>
  </apport>

  Unfortunately, it may cause an unhandled exception when 'mtime'
  attribute is specified as a string value, not a number like this.

  <?xml version="1.0" ?>
  <apport>
    <ignore mtime="string" program="/bin/sleep"/>
  </apport>

  It may disrupt apport service and allow an attacker to potentially
  enable a denial of service via local access.

  The flaw lies in improper exception handling of 'mtime' attribute in
  apport-ignore.xml (see
  https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu/devel#n1104).

  ## Log
  Here is /var/log/apport.log when the above exception occurs.

  ERROR: apport (pid 25904) Tue May  5 18:38:21 2020: Unhandled exception:
  Traceback (most recent call last):
    File "/usr/share/apport/apport", line 629, in <module>
      if info.check_ignored():
    File "/usr/lib/python3/dist-packages/apport/report.py", line 1082, in check_ignored
      if float(ignore.getAttribute('mtime')) >= cur_mtime:
  ValueError: could not convert string to float: 'string'

  Sincerely,

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1877023/+subscriptions

More information about the foundations-bugs mailing list