[Bug 2107472] Re: Race condition when forwarding core files to containers
Benjamin Drung
2107472 at bugs.launchpad.net
Mon Jun 2 08:28:27 UTC 2025
This security introduces a regression. See bug #2112272.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2107472
Title:
Race condition when forwarding core files to containers
Status in Apport:
Fix Committed
Status in apport package in Ubuntu:
Fix Released
Bug description:
Qualys discovered a vulnerability in apport (Ubuntu's core-dump
handler), and a similar vulnerability in systemd-coredump (which is
the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora
for example): a race condition that allows a local attacker to crash a
SUID program and gain read access to the resulting core dump (by
quickly replacing the crashed SUID process with another process,
before its /proc/pid/ files are analyzed by the vulnerable core-dump
handler).
Unfortunately, while reading apport's code Qualys noticed that the function that handles crashes inside namespaces (_check_global_pid_and_forward) is called before the aforementioned security checks are run in consistency_checks(); in other words, an attacker can trick apport's _check_global_pid_and_forward() into
analyzing the wrong process, while the kernel still sends the core dump of the originally crashed process to apport (over its file descriptor 0, stdin).
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2107472/+subscriptions
More information about the foundations-bugs
mailing list