[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
@Benjamin: Argh, I had to uncommit/recommit these three as the CVE numbers came in at the last minute, and apparently got the commit messages the wrong way around (meh @ not having rebase in bzr..) I did some surgery on the branch and the commit messages are correct now. When I created the fixes I also verified that this was the only eval() in the entire source, there is none left now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Released Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
@benjaoming Looks like commit notes mixed up between 3114 and 3112. The eval fix (CVE-2016-9949) is in 3112: https://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3112/ The patch in 3114 fixes CVE-2016-9951 (Relaunch code execution). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Released Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
Question: The release notes state: "Use ast.literal_eval() instead of the generic eval(), to prevent arbitrary code execution from malicious .crash files" The change should be in ui.py in this revision: http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3114 Just to be clear: How does "self.offer_restart = True" avoid generic "eval()" and use "ast.literal_eval()" instead? Does this also mean that there are still situations where "eval()" is called? And why? This always leads to security issues, it's just a matter of time. Thanks for fixing it quickly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Released Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
This bug was fixed in the package apport - 2.20.4-0ubuntu1 --- apport (2.20.4-0ubuntu1) zesty; urgency=medium * New upstream release: - SECURITY FIX: Restrict a report's CrashDB field to literals. Use ast.literal_eval() instead of the generic eval(), to prevent arbitrary code execution from malicious .crash files. A user could be tricked into opening a crash file whose CrashDB field contains an exec(), open(), or similar commands; this is fairly easy as we install a MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9949, LP: #1648806) - SECURITY FIX: Fix path traversal vulnerability with hooks execution. Ensure that Package: and SourcePackage: fields loaded from reports do not contain directories. Until now, an attacker could trick a user into opening a malicious .crash file containing "Package: ../../../../some/dir/foo" which would execute /some/dir/foo.py with arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9950, LP: #1648806) - SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent /var/crash crashes. It only makes sense to offer relaunching for crashes that just happened and the apport UI got triggered on those. When opening a .crash file copied from somewhere else or after the crash happened, this is even actively dangerous as a malicious crash file can specify any arbitrary command to run. Thanks to Donncha O'Cearbhaill for discovering this! (CVE-2016-9951, LP: #1648806) - backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep to search for a file in Contents.gz fails due to a lack of memory. Thanks Brian Murray. - bin/apport-retrace: When --core-file is used instead of loading the core file and adding it to the apport report just pass the file reference to gdb. * debian/control: Adjust Vcs-Bzr: for zesty branch. -- Martin Pitt Wed, 14 Dec 2016 21:28:57 +0100 ** Changed in: apport (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Released Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
The attachment "proposed fix for CrashDB code execution" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
This bug was fixed in the package apport - 2.20.3-0ubuntu8.2 --- apport (2.20.3-0ubuntu8.2) yakkety-security; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: code execution via malicious crash files - Use ast.literal_eval in apport/ui.py, added test to test/test_ui.py. - No CVE number - LP: #1648806 * SECURITY UPDATE: path traversal vulnerability with hooks execution - Clean path in apport/report.py, added test to test/test_ui.py. - No CVE number - LP: #1648806 [ Steve Beattie ] * SECURITY UPDATE: code execution via malicious crash files - Only offer restarting the application when processing a crash file in /var/crash in apport/ui.py, gtk/apport-gtk, and kde/apport-kde. Add testcases to test/test_ui.py, test/test_ui_gtk.py, and test_ui_kde.py. - No CVE number - LP: #1648806 -- Marc Deslauriers Tue, 13 Dec 2016 10:55:09 -0800 ** Changed in: apport (Ubuntu Yakkety) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
This bug was fixed in the package apport - 2.14.1-0ubuntu3.23 --- apport (2.14.1-0ubuntu3.23) trusty-security; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: code execution via malicious crash files - Use ast.literal_eval in apport/ui.py, added test to test/test_ui.py. - No CVE number - LP: #1648806 * SECURITY UPDATE: path traversal vulnerability with hooks execution - Clean path in apport/report.py, added test to test/test_ui.py. - No CVE number - LP: #1648806 [ Steve Beattie ] * SECURITY UPDATE: code execution via malicious crash files - Only offer restarting the application when processing a crash file in /var/crash in apport/ui.py, gtk/apport-gtk, and kde/apport-kde. Add testcases to test/test_ui.py, test/test_ui_gtk.py, and test_ui_kde.py. - No CVE number - LP: #1648806 -- Marc Deslauriers Mon, 12 Dec 2016 07:27:21 -0500 ** Changed in: apport (Ubuntu Trusty) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: Fix Released Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
** Branch linked: lp:apport -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: New Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: New Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files
New upstream release with the fixes: https://launchpad.net/apport/trunk/2.20.4 Note that Brian committed some changes to trunk in the last 1.5 hours, so we had some mid-air collection. I force-pushed trunk and will put back his commits on top. ** Changed in: apport Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1648806 Title: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Committed Status in apport source package in Precise: Fix Released Status in apport source package in Trusty: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Yakkety: New Status in apport source package in Zesty: Fix Committed Bug description: Forwarding private (encrypted) mail from Donncha O'Cearbhaill : = 8< == Hi Martin, I have been auditing the Apport software in my free time and unfortunately I have found some serious security issues. Untrusted files can be passed to apport-gtk as it is registered as the default file handler for "text/x-apport" files. The mime-type includes .crash files but also any unknown file type which begins with "ProblemType: ". An attacker could social engineer a victim into opening a malicious Apport crash file simply by clicking on it. In apport/ui.py, Apport is reading the CrashDB field and then it then evaluates the field as Python code if it begins with a "{". This is very dangerous as it can allow remote attackers to execute arbitrary Python code. The vulnerable code was introduce on 2012-08-22 in Apport revision 2464 (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464). This code was first included in release 2.6.1. All Ubuntu Desktop versions after 12.05 (Precise) include this vulnerable code by default. An easy fix would be to parse the value as JSON instead of eval()'ing it. There is also a path traversal issue where the Package or SourcePackage fields are not sanitized before being used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a remote attacker could exploit this bug to execute Python scripts that have be placed in the user's Downloads directory. Would you like to apply for a CVE for this issues or should I? I'd like to see these issue fixed soon so that Ubuntu users can be kept safe. I'm planning to publish a blog post about these issues but I'll wait until patched version of Apport are available in the repositories. Please let me know if you have any questions. Kind Regards, Donncha = 8< == I just talked to Donna on Jabber, and he plans to disclose that in around a week. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp