This bug was fixed in the package apport - 2.33.0-0ubuntu1
---------------
apport (2.33.0-0ubuntu1) questing; urgency=medium
* New upstream release
- SECURITY UPDATE: Report file insecure permissions (LP: #2106338)
+ Do not change report group to report owner's primary group.
+ CVE-2025-5467
- SECURITY UPDATE: Race condition when forwarding core files to containers
(LP: #2107472)
+ apport: move consistency_checks call further up
+ apport: do not override options.pid
+ apport: open /proc/<pid> as early as possible
+ fileutils: respect proc_pid_fd in get_core_path
+ apport: use opened /proc/<pid> everywhere
+ apport: do consistency check before forwarding crashes
+ apport: require --dump-mode to be specified
+ apport: determine report owner by dump_mode
+ apport: do not forward crash for dump_mode == 2
+ apport: support pidfd (%F) parameter from kernel
+ CVE-2025-5054
- test: support coreutils rename to gnu-coreutils (LP: #2111595)
- setuptools/java: use snakecase for option name (LP: #2111595)
- apport: look for the exe within the proc root mount (LP: #2112272)
* Depend on gnu-coreutils for integration/system tests
* Depend on python3-pytest-cov in addition to python3-pytest
* Drop patches applied upstream and refresh remaining patches
* Address some Pyright complaints in ubuntu general hook
-- Benjamin Drung <bdr...@ubuntu.com> Fri, 06 Jun 2025 13:53:15 +0200
** Changed in: apport (Ubuntu)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-5054
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-5467
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2106338
Title:
Apport Report File Insecure Permissions
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Bug description:
When a low privileged processes crashes, an apport crash report file
is written to /var/crash which contains various technical details
including the raw base64 encoded core dump. A core file could
potentially include sensitive data such as passwords and encryption
keys. The issue is the report file has group read permissions by
default. Any user that is a member the same primary group can read the
crash reports of another user which could lead to the disclosure of
sensitive information.
Test Environment
Ubuntu 24.04.2 LTS
apport 2.28.1-0ubuntu3.5
Setup
Create two users with the primary group set to staff. For this PoC,
the following users are used.
root@apport-test:~# id user1
uid=1001(user1) gid=50(staff) groups=50(staff)
root@apport-test:~# id user2
uid=1002(user2) gid=50(staff) groups=50(staff)
Steps to reproduce
As user1, execute bash, and then export the PGPASSWD variable to the
string UberSecret. Send the SIGABRT signal to the bash process to
induce a crash.
Example:
user1@apport-test:~$ bash
user1@apport-test:~$ export PGPASSWD=UberSecret
user1@apport-test:~$ kill -ABRT $$
Aborted (core dumped)
Verify the crash report is written to
/var/crash/_usr_bin_bash.<UID>.crash. Note the staff group permissions
have read access
user1@apport-test:~$ ls -lart /var/crash
total 104
drwxr-xr-x 13 root root 4096 Jul 2 2024 ..
drwxrwsrwt 2 root root 4096 Apr 6 09:58 .
-rw-r----- 1 user1 staff 97412 Apr 6 09:58 _usr_bin_bash.1001.crash
As user2 execute the apport-unpack program to unpack the crash report to
/tmp/unpacked.
user2@apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash
/tmp/unpacked
As user2 execute "strings /tmp/unpacked/CoreDump |grep -w PGPASSWD" to search
the CoreDump file for the PGPASSWD environment variable value. The user2 user
is able to read sensitive data associated with a crash for a process executed
by user1.
user2@apport-test:~$ strings /tmp/unpacked/CoreDump |grep -w PGPASSWD
PGPASSWD
PGPASSWD
export PGPASSWD=UberSecret
```
I suggest to remove group read permissions on the crash report file to
prevent other users in the same group from reading the potentially
sensitive crash data. I tested the following patch which resolves the
issue in process_crash() by changing the permissions from 640 to 600.
diff --git a/data/apport b/data/apport
index 1200fb07..a2d33a81 100755
--- a/data/apport
+++ b/data/apport
@@ -1154,7 +1154,7 @@ def process_crash(
recover_privileges()
# make the report writable now, when it's completely written
- os.fchmod(fd, 0o640)
+ os.fchmod(fd, 0o600)
logger.info("wrote report %s", report)
if write_coredump_callback:
After applying the above patch, as user1 delete the existing crash file.
user1@apport-test:~$ rm /var/crash/_usr_bin_bash.1001.crash
As user1, execute bash, and then export the PGPASSWD variable to UberSecret.
Send the SIGABRT signal to the bash process to induce a crash.
user1@apport-test:~$ bash
user1@apport-test:~$ export PGPASSWD=UberSecret
user1@apport-test:~$ kill -ABRT $$
Aborted (core dumped)
Note the permissions of the newly generated crash report are now 600 which
prevent the staff group from reading the file.
user1@apport-test:~$ ls -ld /var/crash/_usr_bin_bash.1001.crash
-rw------- 1 user1 staff 97552 Apr 6 13:18
/var/crash/_usr_bin_bash.1001.crash
As user2, executing the apport-unpack command on the crash file now results
in a "Permission denied" error.
user2@apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash
/tmp/unpacked.new
ERROR: [Errno 13] Permission denied: '/var/crash/_usr_bin_bash.1001.crash'
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2106338/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
