[Bug 2107472] Re: Three bypasses

Benjamin Drung 2107472 at bugs.launchpad.net
Fri May 30 12:10:11 UTC 2025 

The fixes have been released and the CVE has been made public:
* https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
* https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt

** Summary changed:

- Three bypasses
+ Local information disclosure in apport (Three bypasses)

** Information type changed from Private Security to Public Security

** Also affects: apport
   Importance: Undecided
       Status: New

** Changed in: apport
    Milestone: None => 2.33.0

** Changed in: apport (Ubuntu)
       Status: Triaged => Fix Released

** Changed in: apport
   Importance: Undecided => High

** Changed in: apport
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2107472

Title:
  Local information disclosure in apport (Three bypasses)

Status in Apport:
  In Progress
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Qualys discovered a vulnerability in apport (Ubuntu's core-dump
  handler), and a similar vulnerability in systemd-coredump (which is
  the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora
  for example): a race condition that allows a local attacker to crash a
  SUID program and gain read access to the resulting core dump (by
  quickly replacing the crashed SUID process with another process,
  before its /proc/pid/ files are analyzed by the vulnerable core-dump
  handler).

  Unfortunately, while reading apport's code Qualys noticed that the function that handles crashes inside namespaces (_check_global_pid_and_forward) is called before the aforementioned security checks are run in consistency_checks(); in other words, an attacker can trick apport's _check_global_pid_and_forward() into
  analyzing the wrong process, while the kernel still sends the core dump of the originally crashed process to apport (over its file descriptor 0, stdin).

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2107472/+subscriptions

More information about the foundations-bugs mailing list