subject:"\[Touch\-packages\] \[Bug 1726372\] Re\: Multiple security issues in Apport"

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Launchpad Bug Tracker

This bug was fixed in the package apport - 2.20.8-0ubuntu1

---
apport (2.20.8-0ubuntu1) bionic; urgency=medium

   * New upstream release:
 - SECURITY UPDATE: Denial of service via resource exhaustion and
   privilege escalation when handling crashes of tainted processes.
 - When /proc/sys/fs/suid_dumpable is set to 2, do not assume that
   the user and group owning the /proc//stat file is the same
   owner and group that started the process. Rather check the dump
   mode of the crashed process and do not write a core file if its
   value is 2. Thanks to Sander Bos for discovering this issue!
   (CVE-2017-14177, LP: #1726372)
 - SECURITY UPDATE: Denial of service via resource exhaustion,
   privilege escalation, and possible container escape when handling
   crashes of processes inside PID namespaces.
 - Change the method for determining if a crash is from a container
   so that there are no false positives from software using PID
   namespaces. Additionally, disable container crash forwarding by
   ignoring crashes that occur in a PID namespace. This functionality
   may be re-enabled in a future update. Thanks to Sander Bos for
   discovering this issue!
   (CVE-2017-14180, LP: #1726372)
   * apport/hookutils.py: modify package_versions to return an empty string if
 packages is empty. (LP: #1723822)

 -- Brian Murray   Wed, 15 Nov 2017 12:44:24 -0800

** Changed in: apport (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Launchpad Bug Tracker

** Branch linked: lp:~ubuntu-core-dev/ubuntu/bionic/apport/ubuntu

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to really _never_ write a core dump file for processes
  where suid_dumpable=2 got effectuated.  This was probably what was
  intended with the fix for CVE-2015-1324, but the check that was created
  does not catch all cases of tainted processes.  A better approach would
  be to let Apport read out "%d" from core(5) through "kernel.core_pattern"
  and if it returns "2", not write a core dump file.  Note however that
  "%d" is only present since kernel version 3.7, and would thus not work
  on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability)
  kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such
  systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from
  later Ubuntu 12.04.x LTS releases).

  Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support
  and
  Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support
  -

  Exploitation types: container escape, privilege escalation, full disk
  DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10.
  Note: exploitable on default OS installations.

  Description:

  Issue 2 (CVE-2017-14179):
  Ubuntu 12.04 LTS: Apport does not recognize ("support")
  PID namespaces / containers.

  Issue 3 (CVE-2017-14180):

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Ubuntu Foundations Team Bug Bot

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to really _never_ write a core dump file for processes
  where suid_dumpable=2 got effectuated.  This was probably what was
  intended with the fix for CVE-2015-1324, but the check that was created
  does not catch all cases of tainted processes.  A better approach would
  be to let Apport read out "%d" from core(5) through "kernel.core_pattern"
  and if it returns "2", not write a core dump file.  Note however that
  "%d" is only present since kernel version 3.7, and would thus not work
  on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability)
  kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such
  systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from
  later Ubuntu 12.04.x LTS releases).

  Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support
  and
  Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support
  -

  Exploitation types: container escape, privilege escalation, full disk
  DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10.
  Note: exploitable on default OS installations.

  Description:

  Issue 2 (CVE-2017-14179):
  Ubuntu 12.04 LTS: Apport does not recognize ("support")
  PID namespaces / containers.

  Issue 3 (CVE-2017-14180):
  Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu 17.10:

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Launchpad Bug Tracker

** Branch linked: lp:apport

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to really _never_ write a core dump file for processes
  where suid_dumpable=2 got effectuated.  This was probably what was
  intended with the fix for CVE-2015-1324, but the check that was created
  does not catch all cases of tainted processes.  A better approach would
  be to let Apport read out "%d" from core(5) through "kernel.core_pattern"
  and if it returns "2", not write a core dump file.  Note however that
  "%d" is only present since kernel version 3.7, and would thus not work
  on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability)
  kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such
  systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from
  later Ubuntu 12.04.x LTS releases).

  Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support
  and
  Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support
  -

  Exploitation types: container escape, privilege escalation, full disk
  DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10.
  Note: exploitable on default OS installations.

  Description:

  Issue 2 (CVE-2017-14179):
  Ubuntu 12.04 LTS: Apport does not recognize ("support")
  PID namespaces / containers.

  Issue 3 (CVE-2017-14180):
  Ubuntu 16.04 LTS, Ubuntu 17.04, and Ubuntu

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Stéphane Graber

Filed an SRU regression bug here
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1732518 to track
re-enabling of container support.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to really _never_ write a core dump file for processes
  where suid_dumpable=2 got effectuated.  This was probably what was
  intended with the fix for CVE-2015-1324, but the check that was created
  does not catch all cases of tainted processes.  A better approach would
  be to let Apport read out "%d" from core(5) through "kernel.core_pattern"
  and if it returns "2", not write a core dump file.  Note however that
  "%d" is only present since kernel version 3.7, and would thus not work
  on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability)
  kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such
  systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from
  later Ubuntu 12.04.x LTS releases).

  Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support
  and
  Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support
  -

  Exploitation types: container escape, privilege escalation, full disk
  DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10.
  Note: exploitable on default OS installations.

  Description:

  Issue 2 (CVE-2017-14179):
  Ubuntu 12.04 LTS: Apport does not recognize

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Launchpad Bug Tracker

This bug was fixed in the package apport - 2.14.1-0ubuntu3.27

---
apport (2.14.1-0ubuntu3.27) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service via resource exhaustion and
privilege escalation when handling crashes of tainted processes
(LP: #1726372)
- When /proc/sys/fs/suid_dumpable is set to 2, do not assume that
  the user and group owning the /proc//stat file is the same
  user and group that started the process. Rather check the dump
  mode of the crashed process and do not write a core file if its
  value is 2. Thanks to Sander Bos for discovering this issue!
- CVE-2017-14177
  * SECURITY UPDATE: Denial of service via resource exhaustion,
privilege escalation, and possible container escape when handling
crashes of processes inside PID namespaces (LP: #1726372)
- Change the method for determining if a crash is from a container
  so that there are no false positives from software using PID
  namespaces. Additionally, disable container crash forwarding by
  ignoring crashes that occur in a PID namespace. This functionality
  may be re-enabled in a future update. Thanks to Sander Bos for
  discovering this issue!
- CVE-2017-14180

 -- Brian Murray   Mon, 13 Nov 2017 08:54:04 -0800

** Changed in: apport (Ubuntu Trusty)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

2017-11-15 Thread Tyler Hicks

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1726372

Title:
  Multiple security issues in Apport

Status in apport package in Ubuntu:
  New
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Zesty:
  Fix Released
Status in apport source package in Artful:
  Fix Released

Bug description:
  We have received the following advisory:

  Security vulnerability report: multiple vulnerabilies in Apport / Ubuntu
  

  OVERVIEW
  

  Author: Sander Bos
  Author's e-mail address: sbos _at_ sbosnet _dot_ nl
  Author's web site: www.sbosnet.nl
  CVE numbers: requested
  Date: 2017-10-23
  Version: 2

  SUMMARY
  ---

  Several security vulnerabilities were discovered by Sander Bos in the
  "Apport" crash handler program [1] affecting all currently supported
  releases of Ubuntu (12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10)
  and, likely, other distributions and Ubuntu derivatives using Apport
  as well.

  Exploitation types are privilege escalation (root exploitation), full
  disk DoS, and Linux container escaping.

  DESCRIPTION, WITH PROPOSED FIXES / WORKAROUNDS
  --

  Issue 1 (CVE-2017-14177): Incomplete fix for CVE-2015-1324
  -

  Exploitation types: privilege escalation, full disk DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 14.04 LTS, 16.04 LTS, 17.04, 17.10
  (i.e., all currently supported releases).
  Note: default OS installations might need an extra package installed,
  or a system configuration setting changed, to be exploitable.

  Description:

  The Apport issue I reported in 2015 (CVE-2015-1324) [2], leading to
  privilege escalation, was not fixed properly.  The initial issue and
  vulnerability still apply, although to a lesser extent.

  Since the introduction of the fix [3] Apport detects setuid, unreadable,
  and other types of tainted / protected binaries / processes by
  comparing the real UID and real GID of the crashed process, read from
  /proc//status and which Apport first sets its own UID and GID to,
  with the UID and GID file owner information of /proc//stat.

  For non tainted processes, the file owner information of /proc//stat
  is the UID and GID of the user that started the process.  For tainted
  processes, the file owner information is 0.

  If the comparison does not match, Apport assumes the process to be a
  tainted process, and disables writing a core dump file.  This on itself
  is correct.

  However, if the comparison _does_ match, it is not always correct to
  assume that the process is _not_ a tainted process (and, consequently,
  write a core dump file).  For example, some setuid programs run by users
  receive real UID 0 and real GID 0.  Also, some setuid processes started
  by root (partially) drop privileges at some point (after which users
  could crash them), for example after forking, but retain real UID 0 and
  real GID 0.

  In such cases, Apport writes a core dump file (as root) while in fact
  it should not do so.  This brings back the problem of CVE-2015-1324.

  It should also be noted that, for the same reason, Apport "dropping 
privileges"
  to the real UID and real GID read from /proc//status is at times
  incorrect and, thus, unsafe as well.

  Proposed fix:

  The proper fix is to really _never_ write a core dump file for processes
  where suid_dumpable=2 got effectuated.  This was probably what was
  intended with the fix for CVE-2015-1324, but the check that was created
  does not catch all cases of tainted processes.  A better approach would
  be to let Apport read out "%d" from core(5) through "kernel.core_pattern"
  and if it returns "2", not write a core dump file.  Note however that
  "%d" is only present since kernel version 3.7, and would thus not work
  on Ubuntu 12.04 LTS systems running a 3.2 "GA" (General Availability)
  kernel from earlier Ubuntu 12.04.x LTS releases (as opposed to such
  systems running a 3.13 "HWE" (Hardware Enablement Stack) kernel from
  later Ubuntu 12.04.x LTS releases).

  Issue 2 (CVE-2017-14179): Apport lacking container / PID namespace support
  and
  Issue 3 (CVE-2017-14180): Apport broken container / PID namespace support
  -

  Exploitation types: container escape, privilege escalation, full disk
  DoS.

  Ubuntu releases affected: 12.04 LTS (ESM), 16.04 LTS, 17.04, 17.10.
  Note: exploitable on default OS installations.

  Description:

  Issue 2 (CVE-2017-14179):
  Ubuntu 12.04 LTS: Apport does not recognize ("support")
  PID namespaces / containers.

  Issue 3 (CVE-2017-14180):

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

[Touch-packages] [Bug 1726372] Re: Multiple security issues in Apport

7 matches

Site Navigation

Mail list logo

Footer information