This bug was fixed in the package apport - 2.19-0ubuntu1 --------------- apport (2.19-0ubuntu1) wily; urgency=medium
* New upstream release: - apport: Drop re-nicing. This might decrease the time a user has to wait for apport to finish the core dump for a crashed/hanging foreground process. (See LP #1278780) - kernel_crashdump: Enforce that the log/dmesg files are not a symlink. This prevents normal users from pre-creating a symlink to the predictable .crash file, and thus triggering a "fill up disk" DoS attack when the .crash report tries to include itself. Thanks to halfdog for discovering this! (CVE-2015-1338, part of LP #1492570) - SECURITY FIX: Fix all writers of report files (package_hook, kernel_crashdump, and similar) to open the report file exclusively, i. e. fail if they already exist. This prevents privilege escalation through symlink attacks. Note that this will also prevent overwriting previous reports with the same same. Thanks to halfdog for discovering this! (CVE-2015-1338, LP: #1492570) - apport: Ignore process restarts from systemd's watchdog. Their traces are usually useless as they don't have any information about the actual reasaon why processes hang (like VM suspends or kernel lockups with bad hardware) (LP: #1433320) -- Martin Pitt <martin.p...@ubuntu.com> Thu, 24 Sep 2015 14:41:54 +0200 ** Changed in: apport (Ubuntu Wily) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1492570 Title: /usr/share/apport/kernel_crashdump accesses files in insecure manner Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Bug description: On Ubuntu Vivid Linux distribution upstart or SysV init invokes the program /usr/share/apport/kernel_crashdump at boot to prepare crash dump files for sending. This action is performed with root privileges. As the crash dump directory /var/crash/ is world writable and kernel_crashdump performs file access in unsafe manner, any local user may trigger a denial of service or escalate to root privileges. If symlink and hardlink protection is enabled (which should be the default for any modern system), only denial of service is possible. Problematic syscall in kernel_crashdump is: open("/var/crash/linux-image-3.19.0-18-generic.0.crash", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0666) = 30 ... open("/var/crash/vmcore.log", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 31 Thus the output file is opened unconditionally and without O_EXCL or O_NOFOLLOW. Also opening of input file does not care about links. By sym- or hardlinking from the predictable dump file name to the vmcore.log, kernel_crashdump will recursively include its own dump as logfile, thus filling the disk. This also works with symlink and hardlink protection turned on. By symlinking to other files (with symlink protection off), arbitrary files can be overwritten to gain root privileges. # lsb_release -rd Description: Ubuntu 15.04 Release: 15.04 # apt-cache policy apport apport: Installed: 2.17.2-0ubuntu1.3 Candidate: 2.17.2-0ubuntu1.3 Version table: *** 2.17.2-0ubuntu1.3 0 500 http://archive.ubuntu.com/ubuntu/ vivid-updates/main i386 Packages 100 /var/lib/dpkg/status 2.17.2-0ubuntu1.1 0 500 http://archive.ubuntu.com/ubuntu/ vivid-security/main i386 Packages 2.17.2-0ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages See http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ for more information and follow the link on the bottom if you know what you are doing (user: InvitedOnly, pass: w0f63smR). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone helping to fix, analyze, mitigate, the security issue at http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ to improve security is allowed to view and use this resource. It may be passed on (including password) to other security engineers under the same conditions at your own risk. Free circulation of that resource is allowed as soon as password protection was removed or when stated on the page itself. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlXqzOcACgkQxFmThv7tq+7GTwCgiwCkUqsB0qiwGIktUMIPqgXY 9bYAni2R8hAZVWWrtPZ+xsDgHGgWq2gL =Y4E5 -----END PGP SIGNATURE----- To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1492570/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp