[Touch-packages] [Bug 1839414] Re: Apport follows symbolic links in path components when creating core dump file

[Alex Murray]

*** This bug is a duplicate of bug 1839413 ***
    https://bugs.launchpad.net/bugs/1839413

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1839414

Title:
  Apport follows symbolic links in path components when creating core
  dump file

Status in Apport:
  New
Status in apport package in Ubuntu:
  New

Bug description:
  Author: Sander Bos, <https://www.sbosnet.nl/>

  Date: 2019-07-30

  
  In data/apport, Apport (implicitly) protects against symbolic link
  following for to be created core dump files, but not sufficiently:

      181     core_path = os.path.join(cwd, 'core')
      ...
      186         core_file = os.open(core_path, os.O_WRONLY | os.O_CREAT | 
os.O_EXCL, 0o600)

  When Apport opens (creates, actually) the core dump file in the
  second line, symbolic link following is (implicitly) prevented due to
  the combination of "os.O_CREAT" and "os.O_EXCL".  However, this only
  applies to the final path component of "core_path" (the core dump file
  name of "core"), _not_ for the earlier path components (taken from
  "cwd").  For those path components, no such prevention is explicitly
  applied either.  Thus, symbolic links in path components before "core"
  are followed.  Combined with a different issue of "cwd" being replaced
  after reading out the current working directory but before using the "cwd"
  variable's value, users may be able to replace any path component of the
  "cwd" file system entry with a symbolic link pointing to an arbitrary
  location on the file system.

  This can for example be used to place core dumps in arbitrary (but
  user-writable) directories different than the actual current working
  directory of the crashed process, or even (user-writable) directories
  outside the root directory in case of a chroot()ed crashed process or
  outside of a container / sandbox in case of a containerized / sandboxed
  process (because Apport is ran from the host's root file system, not
  within such environment).

  Proposed fix: make Apport not follow symbolic links in non-last path
  components when writing core dump files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1839414/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp