** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830862
Title: Apport reads arbitrary files if ~/.config/apport/settings is a symlink Status in Apport: New Status in apport package in Ubuntu: Fix Released Bug description: Dear Ubuntu Security Team, I would like to report a local denial of service vulnerability in Apport. This issue is a variant of issue 1830858, but I believe it is less severe because I was only able to use it to trigger a denial of service. To trigger the bug: mkdir -p ~/.config/apport ln -s /dev/zero ~/.config/apport/settings gcc segv.c -o segv ./segv (I have tested these steps on an up-to-date Ubuntu 18.04.) Apport will happily follow the symlink, even if it points to a file that requires root privileges to read. The reason why it is more difficult to exploit than issue 1830858 is that Apport will error out if the file is not formatted correctly. But if the symlink points to /dev/zero then Apport will keep reading until it uses all the system's memory, thereby DOS-ing the machine. Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy Thank you, Kevin Backhouse Semmle Security Research Team To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1830862/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp