This bug was fixed in the package apport - 2.14.1-0ubuntu3.15
---------------
apport (2.14.1-0ubuntu3.15) trusty-security; urgency=medium
[ Martin Pitt ]
* SECURITY FIX: kernel_crashdump: Enforce that the log/dmesg files are not a
symlink.
This prevents normal users from pre-creating a symlink to the predictable
.crash file, and thus triggering a "fill up disk" DoS attack when the
.crash report tries to include itself. Also clean up the code to make this
easier to read: Drop the "vmcore_root" alias, move the vmcore and
vmcore.log cleanup into the "no kdump" section, and replace the buggy
os.walk() loop with a glob to only catch direct timestamp subdirectories
of /var/crash/.
Thanks to halfdog for discovering this!
(CVE-2015-1338, part of LP #1492570)
* SECURITY FIX: Fix all writers of report files to open the report file
exclusively.
Fix package_hook, kernel_crashdump, and similar hooks to fail if the
report already exists. This prevents privilege escalation through symlink
attacks. Note that this will also prevent overwriting previous reports
with the same same. Thanks to halfdog for discovering this!
(CVE-2015-1338, LP: #1492570)
[ Marc Deslauriers ]
* This package does _not_ contain the changes from 2.14.1-0ubuntu3.14 in
trusty-proposed.
-- Marc Deslauriers <[email protected]> Wed, 23 Sep 2015
11:28:26 -0400
** Changed in: apport (Ubuntu Trusty)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1492570
Title:
/usr/share/apport/kernel_crashdump accesses files in insecure manner
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1492570/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
