Ubuntu
apport package

Insecure /proc/net/unix parsing

Bug #1444518 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
Fix Released
High
Unassigned
apport (Ubuntu)
Fix Released
High
Martin Pitt
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
High
Martin Pitt

Bug Description

The fix in USN-2569-1 introduced a vulnerability when parsing /proc/net/unix.

There is a known issue in the kernel where newlines aren't being escaped properly:
http://www.spinics.net/lists/netdev/msg320556.html

Resulting in Tavis Ormandy finding a new issue:

http://www.openwall.com/lists/oss-security/2015/04/14/18

Tags: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in apport (Ubuntu Trusty):
status: New → Confirmed
Changed in apport (Ubuntu Utopic):
status: New → Confirmed
Changed in apport (Ubuntu Vivid):
status: New → Confirmed
Changed in apport (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apport (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Stéphane Graber (stgraber) wrote :

Got a slightly better version of the patch. It does a chdir() to fix a TOCTOU problem.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Stéphane - Tavis pointed out[1] two additional issues with the patch in comment #2.

1) The owner of the /proc/PID directory is controllable by executing a setuid binary. You'll have to check the real UID of the process. That's doable by parsing /proc/PID/status. The real UID is the first UID in the Uid: row.

2) There's a race between getting the ppid and changing into the /proc/ppid/ directory and the ppid could be recycled. It is best if you call get_ppid() again, after the chdir(), and verify that the ppid hasn't changed (meaning that it has been recycled).

[1] http://www.openwall.com/lists/oss-security/2015/04/15/11

Revision history for this message
Stéphane Graber (stgraber) wrote :

Attaching an updated diff which should be fixing those two concerns.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks! It all looks good to me except for the now unneeded 'ppid_stat = os.stat(".")' line.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.14.1-0ubuntu3.10

---------------
apport (2.14.1-0ubuntu3.10) trusty-security; urgency=medium

  * SECURITY UPDATE: insecure /proc/net/unix parsing (LP: #1444518)
    - data/apport: temporarily disable container support until it can be
      re-written in a secure manner.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 16 Apr 2015 07:56:02 -0400

Changed in apport (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.14.7-0ubuntu8.4

---------------
apport (2.14.7-0ubuntu8.4) utopic-security; urgency=medium

  * SECURITY UPDATE: insecure /proc/net/unix parsing (LP: #1444518)
    - data/apport: temporarily disable container support until it can be
      re-written in a secure manner.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Thu, 16 Apr 2015 07:40:49 -0400

Changed in apport (Ubuntu Utopic):
status: Confirmed → Fix Released
Martin Pitt (pitti)
Changed in apport (Ubuntu Vivid):
status: Confirmed → In Progress
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → High
Changed in apport:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Ritesh: Please package the upcoming 2.17.2 instead, which will disable this feature entirely and thus fix that bug too.

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed (aka disabled) upstream: http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2948

Changed in apport:
assignee: Martin Pitt (pitti) → nobody
status: In Progress → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Fixed upstream in https://launchpad.net/apport/trunk/2.17.2

Changed in apport:
status: Fix Committed → Fix Released
Changed in apport (Ubuntu Vivid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.17.2-0ubuntu1

---------------
apport (2.17.2-0ubuntu1) vivid; urgency=medium

  * New upstream bug fix release:
    - SECURITY UPDATE: Disable crash forwarding to containers. The previous
      fix in 2.17.1 was not sufficient against all attack scenarios. By
      binding to specially crafted sockes, a normal user program could forge
      arbitrary entries in /proc/net/unix. We cannot currently rely on a
      kernel-side solution for this; this feature will be re-enabled once it
      gets re-done to be secure. (LP: #1444518)
    - apport-kde: Fix crash when showing byte array values. Thanks Jonathan
      Riddell. (LP: #1443659)
    - Really create a better duplicate signature for recoverable problems,
      using ExecutablePath. Thanks Brian Murray. (LP: #1316763)
  * Disable Launchpad crash upload for final Ubuntu 15.04.
 -- Martin Pitt <email address hidden> Thu, 16 Apr 2015 17:51:18 -0500

Changed in apport (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.