Launchpad CVE tracker

CVE 2020-15702

TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges. Fixed in 2.20.1-0ubuntu2.24, 2.20.9 versions prior to 2.20.9-0ubuntu7.16 and 2.20.11 versions prior to 2.20.11-0ubuntu27.6. Was ZDI-CAN-11234.

Related bugs and status

CVE-2020-15702 (Candidate) is related to these bugs:

Bug #1876659: Unhandled exception in run_hang()

Summary				In	Importance	Status
	1876659	Unhandled exception in run_hang()		apport (Ubuntu)	Undecided	Fix Released
	1876659	Unhandled exception in run_hang()		Apport	Critical	Fix Released

Bug #1877023: Unhandled exception in check_ignored()

Summary				In	Importance	Status
	1877023	Unhandled exception in check_ignored()		apport (Ubuntu)	Medium	Fix Released
	1877023	Unhandled exception in check_ignored()		Apport	Critical	Fix Released

Bug #1885633: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability

		In	Importance	Status
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	apport (Ubuntu)	Medium	Fix Released
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	apport (Ubuntu Eoan)	Medium	Won't Fix
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	apport (Ubuntu Xenial)	Medium	Fix Released
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	apport (Ubuntu Focal)	Medium	Fix Released
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	apport (Ubuntu Bionic)	Medium	Fix Released
1885633	[ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability	Apport	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2020-15702

References