Apport reads arbitrary files if ~/.config/apport/settings is a symlink
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Critical
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Dear Ubuntu Security Team,
I would like to report a local denial of service vulnerability in Apport. This issue is a variant of issue 1830858, but I believe it is less severe because I was only able to use it to trigger a denial of service. To trigger the bug:
mkdir -p ~/.config/apport
ln -s /dev/zero ~/.config/
gcc segv.c -o segv
./segv
(I have tested these steps on an up-to-date Ubuntu 18.04.)
Apport will happily follow the symlink, even if it points to a file that requires root privileges to read. The reason why it is more difficult to exploit than issue 1830858 is that Apport will error out if the file is not formatted correctly. But if the symlink points to /dev/zero then Apport will keep reading until it uses all the system's memory, thereby DOS-ing the machine.
Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https:/
Thank you,
Kevin Backhouse
Semmle Security Research Team
CVE References
information type: | Private Security → Public Security |
tags: | added: id-5db7d829ab21655404d94dff |
Changed in apport: | |
milestone: | none → 2.21.0 |
importance: | Undecided → Critical |
status: | New → Fix Released |
Thanks for reporting this issue, and for the great description and reproducer. We will investigate it shortly and will assign a CVE number. Thanks!