[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
This bug was fixed in the package apport - 2.20.8-0ubuntu1 --- apport (2.20.8-0ubuntu1) bionic; urgency=medium * New upstream release: - SECURITY UPDATE: Denial of service via resource exhaustion and privilege escalation when handling crashes of tainted processes. - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that the user and group owning the /proc//stat file is the same owner and group that started the process. Rather check the dump mode of the crashed process and do not write a core file if its value is 2. Thanks to Sander Bos for discovering this issue! (CVE-2017-14177, LP: #1726372) - SECURITY UPDATE: Denial of service via resource exhaustion, privilege escalation, and possible container escape when handling crashes of processes inside PID namespaces. - Change the method for determining if a crash is from a container so that there are no false positives from software using PID namespaces. Additionally, disable container crash forwarding by ignoring crashes that occur in a PID namespace. This functionality may be re-enabled in a future update. Thanks to Sander Bos for discovering this issue! (CVE-2017-14180, LP: #1726372) * apport/hookutils.py: modify package_versions to return an empty string if packages is empty. (LP: #1723822) -- Brian MurrayWed, 15 Nov 2017 12:44:24 -0800 ** Changed in: apport (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
** Branch linked: lp:~ubuntu-core-dev/ubuntu/bionic/apport/ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to really _never_ write a core dump file for processes where suid_dumpable=2 got effectuated. This was probably what was intended with the fix for CVE-2015-1324, but the check that was created does not catch all cases of tainted processes. A better approach would be to let Apport read out "%d" from core(5) through "kernel.core_pattern" and if it returns "2", not write a core dump file. Note however that "%d" is only present since kernel version 3.7, and would thus not work on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability) kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from later Ubuntu 12.04.x LTS releases). Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support and Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support - Exploitation types: container escape, privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10. Note: exploitable on default OS installations. Description: Issue 2 (CVE-2017-14179): Ubuntu 12.04 LTS: Apport does not recognize ("support") PID namespaces / containers. Issue 3 (CVE-2017-14180):
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to really _never_ write a core dump file for processes where suid_dumpable=2 got effectuated. This was probably what was intended with the fix for CVE-2015-1324, but the check that was created does not catch all cases of tainted processes. A better approach would be to let Apport read out "%d" from core(5) through "kernel.core_pattern" and if it returns "2", not write a core dump file. Note however that "%d" is only present since kernel version 3.7, and would thus not work on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability) kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from later Ubuntu 12.04.x LTS releases). Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support and Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support - Exploitation types: container escape, privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10. Note: exploitable on default OS installations. Description: Issue 2 (CVE-2017-14179): Ubuntu 12.04 LTS: Apport does not recognize ("support") PID namespaces / containers. Issue 3 (CVE-2017-14180): Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu 17.10:
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
** Branch linked: lp:apport -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to really _never_ write a core dump file for processes where suid_dumpable=2 got effectuated. This was probably what was intended with the fix for CVE-2015-1324, but the check that was created does not catch all cases of tainted processes. A better approach would be to let Apport read out "%d" from core(5) through "kernel.core_pattern" and if it returns "2", not write a core dump file. Note however that "%d" is only present since kernel version 3.7, and would thus not work on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability) kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from later Ubuntu 12.04.x LTS releases). Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support and Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support - Exploitation types: container escape, privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10. Note: exploitable on default OS installations. Description: Issue 2 (CVE-2017-14179): Ubuntu 12.04 LTS: Apport does not recognize ("support") PID namespaces / containers. Issue 3 (CVE-2017-14180): Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
Filed an SRU regression bug here https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1732518 to track re-enabling of container support. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to really _never_ write a core dump file for processes where suid_dumpable=2 got effectuated. This was probably what was intended with the fix for CVE-2015-1324, but the check that was created does not catch all cases of tainted processes. A better approach would be to let Apport read out "%d" from core(5) through "kernel.core_pattern" and if it returns "2", not write a core dump file. Note however that "%d" is only present since kernel version 3.7, and would thus not work on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability) kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from later Ubuntu 12.04.x LTS releases). Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support and Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support - Exploitation types: container escape, privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10. Note: exploitable on default OS installations. Description: Issue 2 (CVE-2017-14179): Ubuntu 12.04 LTS: Apport does not recognize
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
This bug was fixed in the package apport - 2.14.1-0ubuntu3.27 --- apport (2.14.1-0ubuntu3.27) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service via resource exhaustion and privilege escalation when handling crashes of tainted processes (LP: #1726372) - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that the user and group owning the /proc//stat file is the same user and group that started the process. Rather check the dump mode of the crashed process and do not write a core file if its value is 2. Thanks to Sander Bos for discovering this issue! - CVE-2017-14177 * SECURITY UPDATE: Denial of service via resource exhaustion, privilege escalation, and possible container escape when handling crashes of processes inside PID namespaces (LP: #1726372) - Change the method for determining if a crash is from a container so that there are no false positives from software using PID namespaces. Additionally, disable container crash forwarding by ignoring crashes that occur in a PID namespace. This functionality may be re-enabled in a future update. Thanks to Sander Bos for discovering this issue! - CVE-2017-14180 -- Brian MurrayMon, 13 Nov 2017 08:54:04 -0800 ** Changed in: apport (Ubuntu Trusty) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to
[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1726372 Title: Multiple security issues in Apport Status in apport package in Ubuntu: New Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Zesty: Fix Released Status in apport source package in Artful: Fix Released Bug description: We have received the following advisory: Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's web site: www.sbosnet.nl CVE numbers: requested Date: 2017-10-23 Version: 2 SUMMARY --- Several security vulnerabilities were discovered by Sander Bos in the "Apport" crash handler program [1] affecting all currently supported releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10) and, likely, other distributions and Ubuntu derivatives using Apport as well. Exploitation types are privilege escalation (root exploitation), full disk DoS, and Linux container escaping. DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS -- Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324 - Exploitation types: privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10 (i.e., all currently supported releases). Note: default OS installations might need an extra package installed, or a system configuration setting changed, to be exploitable. Description: The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to privilege escalation, was not fixed properly. The initial issue and vulnerability still apply, although to a lesser extent. Since the introduction of the fix [3] Apport detects setuid, unreadable, and other types of tainted / protected binaries / processes by comparing the real UID and real GID of the crashed process, read from /proc//status and which Apport first sets its own UID and GID to, with the UID and GID file owner information of /proc//stat. For non tainted processes, the file owner information of /proc//stat is the UID and GID of the user that started the process. For tainted processes, the file owner information is 0. If the comparison does not match, Apport assumes the process to be a tainted process, and disables writing a core dump file. This on itself is correct. However, if the comparison _does_ match, it is not always correct to assume that the process is _not_ a tainted process (and, consequently, write a core dump file). For example, some setuid programs run by users receive real UID 0 and real GID 0. Also, some setuid processes started by root (partially) drop privileges at some point (after which users could crash them), for example after forking, but retain real UID 0 and real GID 0. In such cases, Apport writes a core dump file (as root) while in fact it should not do so. This brings back the problem of CVE-2015-1324. It should also be noted that, for the same reason, Apport "dropping privileges" to the real UID and real GID read from /proc//status is at times incorrect and, thus, unsafe as well. Proposed fix: The proper fix is to really _never_ write a core dump file for processes where suid_dumpable=2 got effectuated. This was probably what was intended with the fix for CVE-2015-1324, but the check that was created does not catch all cases of tainted processes. A better approach would be to let Apport read out "%d" from core(5) through "kernel.core_pattern" and if it returns "2", not write a core dump file. Note however that "%d" is only present since kernel version 3.7, and would thus not work on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability) kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from later Ubuntu 12.04.x LTS releases). Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support and Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support - Exploitation types: container escape, privilege escalation, full disk DoS. Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10. Note: exploitable on default OS installations. Description: Issue 2 (CVE-2017-14179): Ubuntu 12.04 LTS: Apport does not recognize ("support") PID namespaces / containers. Issue 3 (CVE-2017-14180):