** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1452239
Title: root escalation with fs.suid_dumpable=2 Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Committed Bug description: Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2. Here's a brief description of the issue: 1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r 2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d 3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the publication of this issue. I have assigned CVE-2015-1324 to this issue. We can either: 1- Disable fs.suid_dumpable=2 2- Stop creating core dump files when they are to be created as root 3- Create root-owned core dump files in a well-known location To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp