[Bug 2016023] Re: viewing an apport-cli crash with default pager could escalate privilege (CVE-2023-1326)

Benjamin Drung 2016023 at bugs.launchpad.net
Fri Apr 14 14:11:32 UTC 2023 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2016023

Title:
  viewing an apport-cli crash with default pager could escalate
  privilege (CVE-2023-1326)

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Bionic:
  Fix Released
Status in apport source package in Focal:
  Fix Released
Status in apport source package in Jammy:
  Fix Released
Status in apport source package in Kinetic:
  Fix Released

Bug description:
  # Description

  The apport-cli supports view a crash. These features invoke the
  default pager, which is likely to be less, other functions may apply.

  It can be used to break out from restricted environments by spawning
  an interactive system shell. If the binary is allowed to run as
  superuser by sudo, it does not drop the elevated privileges and may be
  used to access the file system, escalate or maintain privileged
  access.

  CVE-2023-1326 has been reserved for it.

  # PoC

  ```
  $ sudo apport-cli -c xxx.crash
  !id
  uid=0(root) gid=0(root) groups=0(root)
  !done  (press RETURN)
  ```

  # Explanations

  It’s a feature, not a bug/vulnerability? It’s a unexpected command
  execute behavior when users just want to view some information.

  It’s PAGER’s duty to fix the bug? As you can see in the chapter "Fix
  Suggestion", there are some examples other application how to fix the
  bug.

  # Fix Suggestion

  There are some types of solutions and examples.

  * Use LESSSECURE environment
  * or do not use PAGER under root/sudo

  # Reference

  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26604
  * https://github.com/systemd/systemd/issues/5666

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2016023/+subscriptions

More information about the foundations-bugs mailing list