diff -Nru apport-2.20.9/apport/ui.py apport-2.20.9/apport/ui.py --- apport-2.20.9/apport/ui.py 2020-02-27 03:18:45.000000000 +0000 +++ apport-2.20.9/apport/ui.py 2020-03-18 22:35:22.000000000 +0000 @@ -528,7 +528,7 @@ self.ui_error_message(_('Cannot create report'), excstr(e)) else: # show what's being sent - allowed_to_report = apport.fileutils.allowed_to_report() + allowed_to_report = True response = self.ui_present_report_details(allowed_to_report) if response['report']: self.file_report() @@ -607,7 +607,7 @@ return False # show what's being sent - allowed_to_report = apport.fileutils.allowed_to_report() + allowed_to_report = True response = self.ui_present_report_details(allowed_to_report) if response['report']: self.crashdb.update(self.options.update_report, self.report, diff -Nru apport-2.20.9/data/apport apport-2.20.9/data/apport --- apport-2.20.9/data/apport 2020-02-27 03:18:45.000000000 +0000 +++ apport-2.20.9/data/apport 2020-03-25 01:17:13.000000000 +0000 @@ -32,18 +32,10 @@ This avoids bringing down the system to its knees if there is a series of crashes.''' - # create lock file directory - try: - os.mkdir("/var/lock/apport", mode=0o744) - except OSError as e: - if e.errno == errno.EEXIST: - pass - else: - raise - # create a lock file try: - fd = os.open("/var/lock/apport/lock", os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW) + fd = os.open("/var/run/apport.lock", + os.O_WRONLY | os.O_CREAT | os.O_NOFOLLOW, mode=0o600) except OSError as e: error_log('cannot create lock file (uid %i): %s' % (os.getuid(), str(e))) sys.exit(1) @@ -680,15 +672,16 @@ mode = 0o640 else: mode = 0 - reportfile = os.fdopen(os.open(report, os.O_RDWR | os.O_CREAT | os.O_EXCL, mode), 'w+b') + fd = os.open(report, os.O_RDWR | os.O_CREAT | os.O_EXCL, mode) + reportfile = os.fdopen(fd, 'w+b') assert reportfile.fileno() > sys.stderr.fileno() # Make sure the crash reporting daemon can read this report try: gid = pwd.getpwnam('whoopsie').pw_gid - os.chown(report, pidstat.st_uid, gid) + os.fchown(fd, pidstat.st_uid, gid) except (OSError, KeyError): - os.chown(report, pidstat.st_uid, pidstat.st_gid) + os.fchown(fd, pidstat.st_uid, pidstat.st_gid) except (OSError, IOError) as e: error_log('Could not create report file: %s' % str(e)) sys.exit(1) diff -Nru apport-2.20.9/debian/changelog apport-2.20.9/debian/changelog --- apport-2.20.9/debian/changelog 2020-02-27 03:18:45.000000000 +0000 +++ apport-2.20.9/debian/changelog 2020-03-25 01:17:13.000000000 +0000 @@ -1,3 +1,29 @@ +apport (2.20.9-0ubuntu7.14) bionic-security; urgency=medium + + * SECURITY UPDATE: World writable root owned lock file created in user + controllable location (LP: #1862348) + - data/apport: Change location of lock file to be directly under + /var/run so that regular users can not directly access it or perform + symlink attacks. + - CVE-2020-8831 + * SECURITY UPDATE: Race condition between report creation and ownership + (LP: #1862933) + - data/apport: When setting owner of report file use a file-descriptor + to the report file instead of its path name to ensure that users can + not cause Apport to change the ownership of other files via a + symlink attack. + - CVE-2020-8833 + + -- Alex Murray Wed, 25 Mar 2020 11:47:13 +1030 + +apport (2.20.9-0ubuntu7.13) bionic; urgency=medium + + * apport/ui.py: Always allow users to use ubuntu-bug or apport-collect + regardless of the Problem Reporting setting as they are manually invoked + and not automatically generated like a crash report. (LP: #1814611) + + -- Brian Murray Wed, 18 Mar 2020 15:35:23 -0700 + apport (2.20.9-0ubuntu7.12) bionic-security; urgency=medium [ Michael Hudson-Doyle ]