[Bug 1830862] Re: Apport reads arbitrary files if ~/.config/apport/settings is a symlink
Benjamin Drung
1830862 at bugs.launchpad.net
Mon Jun 27 10:17:40 UTC 2022
** Changed in: apport
Milestone: None => 2.21.0
** Changed in: apport
Importance: Undecided => Critical
** Changed in: apport
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1830862
Title:
Apport reads arbitrary files if ~/.config/apport/settings is a symlink
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Bug description:
Dear Ubuntu Security Team,
I would like to report a local denial of service vulnerability in
Apport. This issue is a variant of issue 1830858, but I believe it is
less severe because I was only able to use it to trigger a denial of
service. To trigger the bug:
mkdir -p ~/.config/apport
ln -s /dev/zero ~/.config/apport/settings
gcc segv.c -o segv
./segv
(I have tested these steps on an up-to-date Ubuntu 18.04.)
Apport will happily follow the symlink, even if it points to a file
that requires root privileges to read. The reason why it is more
difficult to exploit than issue 1830858 is that Apport will error out
if the file is not formatted correctly. But if the symlink points to
/dev/zero then Apport will keep reading until it uses all the system's
memory, thereby DOS-ing the machine.
Please let me know when you have fixed the vulnerability, so that I
can coordinate my disclosure with yours. For reference, here is a link
to Semmle's vulnerability disclosure policy:
https://lgtm.com/security#disclosure_policy
Thank you,
Kevin Backhouse
Semmle Security Research Team
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1830862/+subscriptions
More information about the foundations-bugs
mailing list