This bug was fixed in the package apport - 2.12.6-0ubuntu1
---------------
apport (2.12.6-0ubuntu1) trusty; urgency=low
* New upstream security/bug fix release:
- SECURITY FIX: For setuid programs which drop their privileges after
startup, make the report and core dumps owned by root, to avoid possible
data disclosure. Also, change core dump files to permissions "0600".
Thanks to Martin Carpenter for discovering this!
(CVE-2013-1067, LP: #1242435)
- sandboxutils.needed_runtime_packages(): Create cache directory for
Contents.gz if missing. (LP: #933199)
- apt/dpkg: Recognize options in apt sources.list. (LP: #1238620)
* Move Vcs-Bzr to trusty branch.
-- Martin Pitt <[email protected]> Fri, 25 Oct 2013 06:49:19 +0200
** Changed in: apport (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1242435
Title:
Desktop setuid cores readable by non-privileged user
Status in Apport crash detection/reporting:
Fix Released
Status in “apport” package in Ubuntu:
Fix Released
Status in “apport” source package in Lucid:
Invalid
Status in “apport” source package in Precise:
Fix Released
Status in “apport” source package in Quantal:
Fix Released
Status in “apport” source package in Raring:
Fix Released
Status in “apport” source package in Saucy:
Fix Released
Status in “apport” source package in Trusty:
Fix Released
Status in “apport” package in Debian:
Confirmed
Bug description:
Elsewhere I have been working on a sensitive information leak via core
dump generated by gcore(1).
The sensitive information in question is read by a stock setuid root
binary executed by a non-privileged user. On Ubuntu Desktop
fs.suid_dumpable=2. Referencing
https://www.kernel.org/doc/Documentation/sysctl/fs.txt:
2 - (suidsafe) - any binary which normally would not be dumped is dumped
anyway, but only if the "core_pattern" kernel sysctl is set to
either a pipe handler or a fully qualified path. (For more details
on this limitation, see CVE-2006-2451.) This mode is appropriate
when administrators are attempting to debug problems in a normal
environment, and either have a core dump pipe handler that knows
to treat privileged core dumps with care, or specific directory
defined for catching core dumps. If a core dump happens without
a pipe handler or fully qualifid path, a message will be emitted
to syslog warning about the lack of a correct setting.
NB "treat privileged core dumps with care".
On a stock Desktop 12.04 LTS install:
kernel.core_pattern = |/usr/share/apport/apport %p %s %c
apport dutifully dumps the core and this is readable (0660, user:user)
by the invoking user, whereas it should be something like 0440,
root:root. I believe this to be a bug in apport.
TRUNK FIX:
http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2723
Backports for older releases available as attachments here.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1242435/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
