Apport

Bug #1830862
Comment #4

Comment 4 for bug 1830862

Revision history for this message

kev (kbackhouse2000) wrote on 2019-05-31: Re: [Bug 1830862] Re: Apport reads arbitrary files if ~/.config/apport/settings is a symlink

Hi Alex,

Just to confirm that I have understood correctly: this bug is in code that
is not maintained by Ubuntu/Canonical. So would it be better if I report it
to them, or would you prefer to do it yourself? If I report it to them, are
you happy for me to share the poc that affects Apport?

Thanks,

Kev

On Fri, May 31, 2019, 07:11 Alex Murray <email address hidden> wrote:

> Apport uses the Python ConfigParser (called configparser in Python 3)
> module to read this configuration file, so I wonder if this would be
> better reported upstream there instead? I personally feel this is not a
> vulnerability in Apport but perhaps it could be argued that it is one in
> Python instead?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830862
>
> Title:
> Apport reads arbitrary files if ~/.config/apport/settings is a symlink
>
> Status in apport package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Security Team,
>
> I would like to report a local denial of service vulnerability in
> Apport. This issue is a variant of issue 1830858, but I believe it is
> less severe because I was only able to use it to trigger a denial of
> service. To trigger the bug:
>
> mkdir -p ~/.config/apport
> ln -s /dev/zero ~/.config/apport/settings
> gcc segv.c -o segv
> ./segv
>
> (I have tested these steps on an up-to-date Ubuntu 18.04.)
>
> Apport will happily follow the symlink, even if it points to a file
> that requires root privileges to read. The reason why it is more
> difficult to exploit than issue 1830858 is that Apport will error out
> if the file is not formatted correctly. But if the symlink points to
> /dev/zero then Apport will keep reading until it uses all the system's
> memory, thereby DOS-ing the machine.
>
> Please let me know when you have fixed the vulnerability, so that I
> can coordinate my disclosure with yours. For reference, here is a link
> to Semmle's vulnerability disclosure policy:
> https://lgtm.com/security#disclosure_policy
>
> Thank you,
>
> Kevin Backhouse
>
> Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1830862/+subscriptions
>

Hi Alex,

Thanks,

Kev

On Fri, May 31, 2019, 07:11 Alex Murray <alex.murray@canonical.com> wrote:

> Apport uses the Python ConfigParser (called configparser in Python 3)
> module to read this configuration file, so I wonder if this would be
> better reported upstream there instead? I personally feel this is not a
> vulnerability in Apport but perhaps it could be argued that it is one in
> Python instead?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1830862
>
> Title:
>   Apport reads arbitrary files if ~/.config/apport/settings is a symlink
>
> Status in apport package in Ubuntu:
>   New
>
> Bug description:
>   Dear Ubuntu Security Team,
>
>   I would like to report a local denial of service vulnerability in
>   Apport. This issue is a variant of issue 1830858, but I believe it is
>   less severe because I was only able to use it to trigger a denial of
>   service. To trigger the bug:
>
>   mkdir -p ~/.config/apport
>   ln -s /dev/zero ~/.config/apport/settings
>   gcc segv.c -o segv
>   ./segv
>
>   (I have tested these steps on an up-to-date Ubuntu 18.04.)
>
>   Apport will happily follow the symlink, even if it points to a file
>   that requires root privileges to read. The reason why it is more
>   difficult to exploit than issue 1830858 is that Apport will error out
>   if the file is not formatted correctly. But if the symlink points to
>   /dev/zero then Apport will keep reading until it uses all the system's
>   memory, thereby DOS-ing the machine.
>
>   Please let me know when you have fixed the vulnerability, so that I
>   can coordinate my disclosure with yours. For reference, here is a link
>   to Semmle's vulnerability disclosure policy:
>   https://lgtm.com/security#disclosure_policy
>
>   Thank you,
>
>   Kevin Backhouse
>
>   Semmle Security Research Team
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1830862/+subscriptions
>