[Touch-packages] [Bug 1839413] Re: TOCTTOU ("time of check to time of use") "cwd" variable race condition

2019-10-30 Thread Francis Ginther 
** Tags added: id-5d640ed806b8601dd0ea00ab

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1839413

Title:
  TOCTTOU ("time of check to time of use") "cwd" variable race condition

Status in Apport:
  New
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Author: Sander Bos, 

  Date: 2019-07-30

  
  In data/apport, Apport reads out the current working directory of a
  crashed process in get_pid_info() and puts it into the "cwd" variable:

   83 cwd = os.readlink('/proc/' + pid + '/cwd')

  Later, this variable gets used in calls to write_user_coredump() for
  writing the core dump file:

  181 core_path = os.path.join(cwd, 'core')

  The time between setting the "cwd" variable and using the variable forms
  a TOCTTOU issue, and can be abused by a user to create a core dump file
  in a different directory than the actual current working directory of
  the crashed process (being Apport's intended destination directory for
  the core dump file).  This can for example be abused replacing (any path
  component of) the directory to which "cwd" points with a FUSE bindfs(1)
  or similar file system mount point, or by a symbolic link to an arbitrary
  (and potentially root owned) directory.

  Moreover, when using FUSE, basically "anything" could be put behind the
  "mount point" leading to various potential exploitation scenarios, e.g.,
  an indefinite sleep() would lead to (some form of) DoS for Apport.

  Proposed fix: if possible, use a file descriptor for handling "cwd".

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1839413/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1839413] Re: TOCTTOU ("time of check to time of use") "cwd" variable race condition

2019-10-30 Thread Alex Murray 
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1839413

Title:
  TOCTTOU ("time of check to time of use") "cwd" variable race condition

Status in Apport:
  New
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Author: Sander Bos, 

  Date: 2019-07-30

  
  In data/apport, Apport reads out the current working directory of a
  crashed process in get_pid_info() and puts it into the "cwd" variable:

   83 cwd = os.readlink('/proc/' + pid + '/cwd')

  Later, this variable gets used in calls to write_user_coredump() for
  writing the core dump file:

  181 core_path = os.path.join(cwd, 'core')

  The time between setting the "cwd" variable and using the variable forms
  a TOCTTOU issue, and can be abused by a user to create a core dump file
  in a different directory than the actual current working directory of
  the crashed process (being Apport's intended destination directory for
  the core dump file).  This can for example be abused replacing (any path
  component of) the directory to which "cwd" points with a FUSE bindfs(1)
  or similar file system mount point, or by a symbolic link to an arbitrary
  (and potentially root owned) directory.

  Moreover, when using FUSE, basically "anything" could be put behind the
  "mount point" leading to various potential exploitation scenarios, e.g.,
  an indefinite sleep() would lead to (some form of) DoS for Apport.

  Proposed fix: if possible, use a file descriptor for handling "cwd".

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1839413/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp