Unhandled exception in check_ignored()

Bug #1877023 reported by Seong-Joong Kim
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
apport (Ubuntu)
Fix Released

Bug Description


I have found a security issue on apport 2.20.11 and earlier.

## Vulnerability
apport 2.20.11 and earlier have an unhandled exception vulnerability during parsing apport-ignore.xml.
An attacker can cause a denial of service (i.e., application crash) via a crafted apport-ignore.xml file.

## Description
Reports can be suppressed by blacklisting in apport-ignore.xml.

This is an example of apport-ignore.xml

<?xml version="1.0" ?>
  <ignore mtime="1461374304" program="/opt/sublime_text/sublime_text"/>
  <ignore mtime="1453471676" program="/bin/sleep"/>
  <ignore mtime="1452699271" program="/usr/bin/strace"/>

Unfortunately, it may cause an unhandled exception when 'mtime' attribute is specified as a string value, not a number like this.

<?xml version="1.0" ?>
  <ignore mtime="string" program="/bin/sleep"/>

It may disrupt apport service and allow an attacker to potentially enable a denial of service via local access.

The flaw lies in improper exception handling of 'mtime' attribute in apport-ignore.xml (see https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu/devel#n1104).

## Log
Here is /var/log/apport.log when the above exception occurs.

ERROR: apport (pid 25904) Tue May 5 18:38:21 2020: Unhandled exception:
Traceback (most recent call last):
  File "/usr/share/apport/apport", line 629, in <module>
    if info.check_ignored():
  File "/usr/lib/python3/dist-packages/apport/report.py", line 1082, in check_ignored
    if float(ignore.getAttribute('mtime')) >= cur_mtime:
ValueError: could not convert string to float: 'string'


Tags: patch
description: updated
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Uncaught exception on malformed XML declaration.
Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser and leads an unexpected exception.
Please check the attached patch.

information type: Private Security → Public Security
affects: apport → apport (Ubuntu)
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "unhandled-XML-exception.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in apport (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, please use CVE-2020-15701 for this issue. Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu27.6

apport (2.20.11-0ubuntu27.6) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure issue (LP: #1885633)
    - data/apport: also drop gid when checking if user session is closing.
    - CVE-2020-11936
  * SECURITY UPDATE: crash via malformed ignore file (LP: #1877023)
    - apport/report.py: don't crash on malformed mtime values.
    - CVE-2020-15701
  * SECURITY UPDATE: TOCTOU in core file location
    - data/apport: make sure the process hasn't been replaced after Apport
      has started.
    - CVE-2020-15702
  * apport/ui.py, test/test_ui.py: make sure a PID is specified when using
    --hanging (LP: #1876659)
  * WARNING: This package does _not_ contain the changes from
    2.20.11-0ubuntu27.5 in focal-proposed.

 -- Marc Deslauriers <email address hidden> Fri, 31 Jul 2020 09:10:30 -0400

Changed in apport (Ubuntu):
status: Confirmed → Fix Released
Benjamin Drung (bdrung)
Changed in apport:
milestone: none → 2.21.0
importance: Undecided → Critical
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.