[Bug 1877023] [NEW] Unhandled exception in check_ignored()

Mon, 18 May 2020 01:23:27 -0700 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Hi,

I have found a security issue on apport 2.20.11 and earlier.

## Vulnerability 
apport 2.20.11 and earlier have an unhandled exception vulnerability during 
parsing apport-ignore.xml.
An attacker can cause a denial of service (i.e., application crash) via a 
crafted apport-ignore.xml file.

## Description
Reports can be suppressed by blacklisting in apport-ignore.xml.

This is an example of apport-ignore.xml

<?xml version="1.0" ?>
<apport>
  <ignore mtime="1461374304" program="/opt/sublime_text/sublime_text"/>
  <ignore mtime="1453471676" program="/bin/sleep"/>
  <ignore mtime="1452699271" program="/usr/bin/strace"/>
</apport>

Unfortunately, it may cause an unhandled exception when 'mtime'
attribute is specified as a string value, not a number like this.

<?xml version="1.0" ?>
<apport>
  <ignore mtime="string" program="/bin/sleep"/>
</apport>

It may disrupt apport service and allow an attacker to potentially
enable a denial of service via local access.

The flaw lies in improper exception handling of 'mtime' attribute in
apport-ignore.xml (see
https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu/devel#n1104).

## Log
Here is /var/log/apport.log when the above exception occurs.

ERROR: apport (pid 25904) Tue May  5 18:38:21 2020: Unhandled exception:
Traceback (most recent call last):
  File "/usr/share/apport/apport", line 629, in <module>
    if info.check_ignored():
  File "/usr/lib/python3/dist-packages/apport/report.py", line 1082, in 
check_ignored
    if float(ignore.getAttribute('mtime')) >= cur_mtime:
ValueError: could not convert string to float: 'string'

Sincerely,

** Affects: apport (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Unhandled exception in check_ignored()
https://bugs.launchpad.net/bugs/1877023
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to