diff -Nru apport-2.20.11/data/apport apport-2.20.11/data/apport
--- apport-2.20.11/data/apport	2019-05-16 22:18:33.000000000 +0300
+++ apport-2.20.11/data/apport	2019-09-06 00:46:54.000000000 +0300
@@ -80,7 +80,7 @@
     assert real_uid is not None, 'failed to parse Uid'
     assert real_gid is not None, 'failed to parse Gid'
 
-    cwd = os.readlink('/proc/' + pid + '/cwd')
+    cwd = os.open('/proc/' + pid + '/cwd', os.O_RDONLY | os.O_PATH | os.O_DIRECTORY)
 
 
 def drop_privileges(real_only=False):
@@ -178,12 +178,13 @@
         error_log('disabling core dump for suid/sgid/unreadable executable')
         return
 
-    core_path = os.path.join(cwd, 'core')
     try:
         with open('/proc/sys/kernel/core_uses_pid') as f:
-            if f.read().strip() != '0':
-                core_path += '.' + str(pid)
-        core_file = os.open(core_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600)
+            if f.read().strip() == '0':
+                core_path = 'core'
+            else:
+                core_path = 'core.%s' % (str(pid))
+        core_file = os.open(core_path, os.O_WRONLY | os.O_CREAT | os.O_EXCL, mode=0o600, dir_fd=cwd)
     except (OSError, IOError):
         return
 
diff -Nru apport-2.20.11/debian/changelog apport-2.20.11/debian/changelog
--- apport-2.20.11/debian/changelog	2019-07-23 00:23:42.000000000 +0300
+++ apport-2.20.11/debian/changelog	2019-09-06 00:47:25.000000000 +0300
@@ -1,3 +1,11 @@
+apport (2.20.11-0ubuntu8) UNRELEASED; urgency=medium
+
+  * SECURITY UPDATE: prevent TOCTTOU race conditions and following symbolic
+    links when creating a core file (LP: #1839413, LP: #1839414)
+    - data/apport: use file descriptor to reference to cwd instead of strings.
+
+ -- Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>  Thu, 05 Sep 2019 21:47:25 +0000
+
 apport (2.20.11-0ubuntu7) eoan; urgency=medium
 
   * Resolve pycodestyle issues.