This bug was fixed in the package apport - 2.17.3-0ubuntu1 --------------- apport (2.17.3-0ubuntu1) wily; urgency=medium
* New upstream release: - SECURITY UPDATE: When /proc/sys/fs/suid_dumpable is enabled, crashing a program that is suid root or not readable for the user would create root-owned core files in the current directory of that program. Creating specially crafted core files in /etc/logrotate.d or similar could then lead to arbitrary code execution with root privileges. Now core files do not get written for these kinds of programs, in accordance with the intention of core(5). Thanks to Sander Bos for discovering this issue! (CVE-2015-1324, LP: #1452239) - SECURITY UPDATE: When writing a core dump file for a crashed packaged program, don't close and reopen the .crash report file but just rewind and re-read it. This prevents the user from modifying the .crash report file while "apport" is running to inject data and creating crafted core dump files. In conjunction with the above vulnerability of writing core dump files to arbitrary directories this could be exploited to gain root privileges. Thanks to Philip Pettersson for discovering this issue! (CVE-2015-1325, LP: #1453900) - apportcheckresume: Fix "occured" typo, thanks Matthew Paul Thomas. (LP: #1448636) - signal_crashes test: Fix test_crash_setuid_* to look at whether suid_dumpable was enabled. - test/run: Run UI tests under dbus-launch, newer GTK versions require this now. -- Martin Pitt <martin.p...@ubuntu.com> Wed, 20 May 2015 16:58:35 +0200 ** Changed in: apport (Ubuntu Wily) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1452239 Title: root escalation with fs.suid_dumpable=2 Status in Apport crash detection/reporting: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Utopic: Fix Released Status in apport source package in Vivid: Fix Released Status in apport source package in Wily: Fix Released Bug description: Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2. Here's a brief description of the issue: 1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r 2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d 3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the publication of this issue. I have assigned CVE-2015-1324 to this issue. We can either: 1- Disable fs.suid_dumpable=2 2- Stop creating core dump files when they are to be created as root 3- Create root-owned core dump files in a well-known location To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp