/usr/share/apport/kernel_crashdump accesses files in insecure manner
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
High
|
Martin Pitt | ||
apport (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
High
|
Marc Deslauriers | ||
Vivid |
Fix Released
|
High
|
Marc Deslauriers | ||
Wily |
Fix Released
|
High
|
Martin Pitt |
Bug Description
On Ubuntu Vivid Linux distribution upstart or SysV init invokes the program /usr/share/
Problematic syscall in kernel_crashdump is:
open("/
...
open("/
Thus the output file is opened unconditionally and without O_EXCL or O_NOFOLLOW. Also opening of input file does not care about links.
By sym- or hardlinking from the predictable dump file name to the vmcore.log, kernel_crashdump will recursively include its own dump as logfile, thus filling the disk. This also works with symlink and hardlink protection turned on.
By symlinking to other files (with symlink protection off), arbitrary files can be overwritten to gain root privileges.
# lsb_release -rd
Description: Ubuntu 15.04
Release: 15.04
# apt-cache policy apport
apport:
Installed: 2.17.2-0ubuntu1.3
Candidate: 2.17.2-0ubuntu1.3
Version table:
*** 2.17.2-0ubuntu1.3 0
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
See http://
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anyone helping to fix, analyze, mitigate, the security issue at
http://
to improve security is allowed to view and use this resource. It
may be passed on (including password) to other security engineers
under the same conditions at your own risk. Free circulation
of that resource is allowed as soon as password protection was
removed or when stated on the page itself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlX
9bYAni2R8hAZVWW
=Y4E5
-----END PGP SIGNATURE-----
CVE References
Changed in apport (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apport (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apport (Ubuntu Vivid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apport (Ubuntu Vivid): | |
status: | New → In Progress |
Changed in apport (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in apport (Ubuntu Precise): | |
status: | New → In Progress |
assignee: | Marc Deslauriers (mdeslaur) → Martin Pitt (pitti) |
Changed in apport: | |
status: | In Progress → Fix Committed |
status: | Fix Committed → In Progress |
information type: | Private Security → Public Security |
Changed in apport (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
tags: | added: patch |
Changed in apport (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Vivid): | |
importance: | Undecided → High |
Hi Martin,
Could you please take a look at this issue? Thanks!