Ubuntu
apport package

viewing an apport-cli crash with default pager could escalate privilege (CVE-2023-1326)

Bug #2016023 reported by Benjamin Drung
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
Fix Released
Critical
Unassigned
Apport 2.26.1
apport (Ubuntu)
Fix Released
Critical
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

# Description

The apport-cli supports view a crash. These features invoke the default pager, which is likely to be less, other functions may apply.

It can be used to break out from restricted environments by spawning an interactive system shell. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

CVE-2023-1326 has been reserved for it.

# PoC

```
$ sudo apport-cli -c xxx.crash
!id
uid=0(root) gid=0(root) groups=0(root)
!done (press RETURN)
```

# Explanations

It’s a feature, not a bug/vulnerability? It’s a unexpected command execute behavior when users just want to view some information.

It’s PAGER’s duty to fix the bug? As you can see in the chapter "Fix Suggestion", there are some examples other application how to fix the bug.

# Fix Suggestion

There are some types of solutions and examples.

* Use LESSSECURE environment
* or do not use PAGER under root/sudo

# Reference

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26604
* https://github.com/systemd/systemd/issues/5666

CVE References

Benjamin Drung (bdrung)
Changed in apport:
milestone: none → 2.26.1
importance: Undecided → Critical
Changed in apport (Ubuntu):
importance: Undecided → Critical
Changed in apport:
status: New → In Progress
Revision history for this message
Benjamin Drung (bdrung) wrote :

Attached apport 2.23.1-0ubuntu3.2 debdiff for kinetic-security.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Attach apport 2.20.11-0ubuntu82.4 debdiff for jammy-security.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Attached apport 2.20.11-0ubuntu27.26 debdiff for focal-security.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Attached apport 2.20.9-0ubuntu7.29 debdiff for bionic-security.

Revision history for this message
Benjamin Drung (bdrung) wrote :

The debdiff for bionic needs an update for the test cases.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Attached corrected apport 2.20.9-0ubuntu7.29 debdiff for bionic-security. I had to include the one-line fix for backends/packaging-apt-dpkg.py to make the autopkgtest succeed on amd64.

Revision history for this message
Benjamin Drung (bdrung) wrote :

I have done following tests for the debdiffs:

* successful build with sbuild
* successful autopkgtest run (with qemu runner on amd64)
* Tested PoC in a schroot with the fixed apport version

Benjamin Drung (bdrung)
summary: - CVE-2023-1326
+ viewing an apport-cli crash with default pager could escalate privilege
+ (CVE-2023-1326)
Changed in apport:
status: In Progress → Fix Released
Revision history for this message
Mark Esler (eslerm) wrote :

At 11:00CDT/16:00UTC tomorrow I will stage sponsored releases in the public security-proposed repo. Once all releases are in the archive I'll publish the CVE to MITRE/CVE List.

Benjamin Drung (bdrung)
Changed in apport (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.23.1-0ubuntu3.2

---------------
apport (2.23.1-0ubuntu3.2) kinetic-security; urgency=medium

  * Let apport depend on recent python3-problem-report for recent bug fix
  * SECURITY UPDATE: viewing an apport-cli crash with default pager could
    escalate privilege (LP: #2016023)
    - d/p/refactor-Introduce-run_as_real_user.patch: Introduce
      run_as_real_user()
    - d/p/fix-Only-open-browser-as-user-via-sudo-if-running-as-root.patch:
      Only open browser as user (via sudo) if running as root
    - d/p/Replace-sudo-by-dropping-privileges-ourselves.patch: Replace sudo by
      dropping privileges ourselves
    - debian/patches/CVE-2023-1326.patch: drops privilege to users environment
      before execution
    - CVE-2023-1326

 -- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 12:38:24 +0200

Changed in apport (Ubuntu Kinetic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu82.4

---------------
apport (2.20.11-0ubuntu82.4) jammy-security; urgency=medium

  * SECURITY UPDATE: viewing an apport-cli crash with default pager could
    escalate privilege (LP: #2016023)
    - apport/fileutils.py: Add get_process_environ()
    - apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to
      users environment before execution
    - test/test_fileutils.py, test/test_ui.py, test/test_user/group.py: Add
      test cases for new code
    - CVE-2023-1326

 -- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 19:00:36 +0200

Changed in apport (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.9-0ubuntu7.29

---------------
apport (2.20.9-0ubuntu7.29) bionic-security; urgency=medium

  * SECURITY UPDATE: viewing an apport-cli crash with default pager could
    escalate privilege (LP: #2016023)
    - apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to
      users environment before execution (using sudo)
    - test/test_ui.py, test/test_user/group.py: Add test cases for new code
    - CVE-2023-1326
  * backends/packaging-apt-dpkg.py: when downloading packages from Launchpad
    do not require them to be authenticated. (LP: #1989467)

 -- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 19:53:49 +0200

Changed in apport (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu27.26

---------------
apport (2.20.11-0ubuntu27.26) focal-security; urgency=medium

  * SECURITY UPDATE: viewing an apport-cli crash with default pager could
    escalate privilege (LP: #2016023)
    - apport/ui.py, apport/user_group.py, bin/apport-cli: drops privilege to
      users environment before execution (using sudo)
    - test/test_ui.py, test/test_user/group.py: Add test cases for new code
    - CVE-2023-1326

 -- Benjamin Drung <email address hidden> Wed, 12 Apr 2023 18:41:51 +0200

Changed in apport (Ubuntu Focal):
status: New → Fix Released
Mark Esler (eslerm)
Changed in apport (Ubuntu Bionic):
status: Fix Released → Fix Committed
Changed in apport (Ubuntu Focal):
status: Fix Released → Fix Committed
Changed in apport (Ubuntu Jammy):
status: Fix Released → Fix Committed
Changed in apport (Ubuntu Kinetic):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.26.1-0ubuntu2

---------------
apport (2.26.1-0ubuntu2) lunar; urgency=medium

  * fix(tests): Clear environment for test_run_as_real_user_no_sudo

apport (2.26.1-0ubuntu1) lunar; urgency=medium

  [ Benjamin Drung ]
  * New upstream bug-fix release.
    - SECURITY UPDATE: viewing an apport-cli crash with default pager could
      escalate privilege (LP: #2016023). Do not run sensible-pager as root
      if using sudo/pkexec.
    - Catch HTTPError in UserInterface.file_report (LP: #2008638)
    - Print proper error message if /proc/<pid> is gone (LP: #2008638)
    - Do not drop environment variables when calling GDB (LP: #2012374)
    - Fix parsing options with spaces in sources.list (LP: #1822712)
  * Disable Launchpad crash reports for 23.04 release

  [ Sebastien Bacher ]
  * Let subiquity collect the desktop installer details if available

 -- Benjamin Drung <email address hidden> Fri, 14 Apr 2023 00:17:27 +0200

Changed in apport (Ubuntu):
status: Fix Committed → Fix Released
Mark Esler (eslerm)
Changed in apport (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in apport (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in apport (Ubuntu Jammy):
status: Fix Committed → Fix Released
Changed in apport (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Benjamin Drung (bdrung)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.