[Bug 1830862] Re: Apport reads arbitrary files if ~/.config/apport/settings is a symlink

[Francis Ginther]

** Tags added: id-5db7d829ab21655404d94dff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1830862

Title:
  Apport reads arbitrary files if ~/.config/apport/settings is a symlink

Status in Apport:
  New
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Dear Ubuntu Security Team,

  I would like to report a local denial of service vulnerability in
  Apport. This issue is a variant of issue 1830858, but I believe it is
  less severe because I was only able to use it to trigger a denial of
  service. To trigger the bug:

  mkdir -p ~/.config/apport
  ln -s /dev/zero ~/.config/apport/settings
  gcc segv.c -o segv
  ./segv

  (I have tested these steps on an up-to-date Ubuntu 18.04.)

  Apport will happily follow the symlink, even if it points to a file
  that requires root privileges to read. The reason why it is more
  difficult to exploit than issue 1830858 is that Apport will error out
  if the file is not formatted correctly. But if the symlink points to
  /dev/zero then Apport will keep reading until it uses all the system's
  memory, thereby DOS-ing the machine.

  Please let me know when you have fixed the vulnerability, so that I
  can coordinate my disclosure with yours. For reference, here is a link
  to Semmle's vulnerability disclosure policy:
  https://lgtm.com/security#disclosure_policy

  Thank you,

  Kevin Backhouse

  Semmle Security Research Team

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1830862/+subscriptions