This bug was fixed in the package apport - 2.0.1-0ubuntu17.6
---------------
apport (2.0.1-0ubuntu17.6) precise-security; urgency=low
* SECURITY UPDATE: incorrect permissions on setuid process core dumps
(LP: #1242435)
- use correct permissions when writing the core file in data/apport,
added test to test/test_signal_crashes.py.
- Thanks to Martin Pitt for the patch!
- CVE-2013-1067
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 23 Oct 2013 13:04:37
-0400
** Changed in: apport (Ubuntu Precise)
Status: Triaged => Fix Released
** Changed in: apport (Ubuntu Raring)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1242435
Title:
Desktop setuid cores readable by non-privileged user
Status in Apport crash detection/reporting:
In Progress
Status in “apport” package in Ubuntu:
Triaged
Status in “apport” source package in Lucid:
Invalid
Status in “apport” source package in Precise:
Fix Released
Status in “apport” source package in Quantal:
Fix Released
Status in “apport” source package in Raring:
Fix Released
Status in “apport” source package in Saucy:
Fix Released
Status in “apport” source package in Trusty:
Triaged
Bug description:
Elsewhere I have been working on a sensitive information leak via core
dump generated by gcore(1).
The sensitive information in question is read by a stock setuid root
binary executed by a non-privileged user. On Ubuntu Desktop
fs.suid_dumpable=2. Referencing
https://www.kernel.org/doc/Documentation/sysctl/fs.txt:
2 - (suidsafe) - any binary which normally would not be dumped is dumped
anyway, but only if the "core_pattern" kernel sysctl is set to
either a pipe handler or a fully qualified path. (For more details
on this limitation, see CVE-2006-2451.) This mode is appropriate
when administrators are attempting to debug problems in a normal
environment, and either have a core dump pipe handler that knows
to treat privileged core dumps with care, or specific directory
defined for catching core dumps. If a core dump happens without
a pipe handler or fully qualifid path, a message will be emitted
to syslog warning about the lack of a correct setting.
NB "treat privileged core dumps with care".
On a stock Desktop 12.04 LTS install:
kernel.core_pattern = |/usr/share/apport/apport %p %s %c
apport dutifully dumps the core and this is readable (0660, user:user)
by the invoking user, whereas it should be something like 0440,
root:root. I believe this to be a bug in apport.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1242435/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
