Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Undecided
|
Martin Pitt | ||
apport (Ubuntu) |
Fix Released
|
Undecided
|
Martin Pitt | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Martin Pitt |
Bug Description
Forwarding private (encrypted) mail from Donncha O'Cearbhaill <email address hidden>:
=======
Hi Martin,
I have been auditing the Apport software in my free time and
unfortunately I have found some serious security issues.
Untrusted files can be passed to apport-gtk as it is registered as the
default file handler for "text/x-apport" files. The mime-type includes
.crash files but also any unknown file type which begins with
"ProblemType: ". An attacker could social engineer a victim into opening
a malicious Apport crash file simply by clicking on it.
In apport/ui.py, Apport is reading the CrashDB field and then it then
evaluates the field as Python code if it begins with a "{". This is very
dangerous as it can allow remote attackers to execute arbitrary Python code.
The vulnerable code was introduce on 2012-08-22 in Apport revision
2464
(http://
This code was first included in release 2.6.1. All Ubuntu Desktop
versions after 12.05 (Precise) include this vulnerable code by default.
An easy fix would be to parse the value as JSON instead of eval()'ing it.
There is also a path traversal issue where the Package or SourcePackage
fields are not sanitized before being used to build a path to the
package specific hook files in the /usr/share/
directory.
By setting "Package: ../../.
remote attacker could exploit this bug to execute Python scripts that
have be placed in the user's Downloads directory.
Would you like to apply for a CVE for this issues or should I? I'd like
to see these issue fixed soon so that Ubuntu users can be kept safe. I'm
planning to publish a blog post about these issues but I'll wait until
patched version of Apport are available in the repositories.
Please let me know if you have any questions.
Kind Regards,
Donncha
=======
I just talked to Donna on Jabber, and he plans to disclose that in around a week.
Related branches
Changed in apport (Ubuntu Zesty): | |
assignee: | nobody → Martin Pitt (pitti) |
information type: | Private Security → Public Security |
tags: | added: patch |
@security team: Can you please assign a CVE?
I'm on the core sprint this week, and next week I have two work days left. I'll look into this on Monday and attach patches here for review, but I most probably won't be able to do all the backports to stable releases, so I'll need some help with that.