This bug was fixed in the package apport - 2.20.4-0ubuntu1
---------------
apport (2.20.4-0ubuntu1) zesty; urgency=medium
* New upstream release:
- SECURITY FIX: Restrict a report's CrashDB field to literals.
Use ast.literal_eval() instead of the generic eval(), to prevent
arbitrary code execution from malicious .crash files. A user could be
tricked into opening a crash file whose CrashDB field contains an
exec(), open(), or similar commands; this is fairly easy as we install a
MIME handler for these. Thanks to Donncha O'Cearbhaill for discovering
this! (CVE-2016-9949, LP: #1648806)
- SECURITY FIX: Fix path traversal vulnerability with hooks execution.
Ensure that Package: and SourcePackage: fields loaded from reports do
not contain directories. Until now, an attacker could trick a user into
opening a malicious .crash file containing "Package:
../../../../some/dir/foo" which would execute /some/dir/foo.py with
arbitrary code. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9950, LP: #1648806)
- SECURITY FIX: apport-{gtk,kde}: Only offer "Relaunch" for recent
/var/crash crashes.
It only makes sense to offer relaunching for crashes that just happened
and the apport UI got triggered on those. When opening a .crash file
copied from somewhere else or after the crash happened, this is even
actively dangerous as a malicious crash file can specify any arbitrary
command to run. Thanks to Donncha O'Cearbhaill for discovering this!
(CVE-2016-9951, LP: #1648806)
- backends/packaging-apt-dpkg.py: provide a fallback method if using zgrep
to search for a file in Contents.gz fails due to a lack of memory.
Thanks Brian Murray.
- bin/apport-retrace: When --core-file is used instead of loading the core
file and adding it to the apport report just pass the file reference to
gdb.
* debian/control: Adjust Vcs-Bzr: for zesty branch.
-- Martin Pitt <martin.p...@ubuntu.com> Wed, 14 Dec 2016 21:28:57
+0100
** Changed in: apport (Ubuntu Zesty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1648806
Title:
Arbitrary code execution through crafted CrashDB or Package/Source
fields in .crash files
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Status in apport source package in Precise:
Fix Released
Status in apport source package in Trusty:
Fix Released
Status in apport source package in Xenial:
Fix Released
Status in apport source package in Yakkety:
Fix Released
Status in apport source package in Zesty:
Fix Released
Bug description:
Forwarding private (encrypted) mail from Donncha O'Cearbhaill
<donn...@donncha.is>:
===================== 8< ==========================
Hi Martin,
I have been auditing the Apport software in my free time and
unfortunately I have found some serious security issues.
Untrusted files can be passed to apport-gtk as it is registered as the
default file handler for "text/x-apport" files. The mime-type includes
.crash files but also any unknown file type which begins with
"ProblemType: ". An attacker could social engineer a victim into opening
a malicious Apport crash file simply by clicking on it.
In apport/ui.py, Apport is reading the CrashDB field and then it then
evaluates the field as Python code if it begins with a "{". This is very
dangerous as it can allow remote attackers to execute arbitrary Python code.
The vulnerable code was introduce on 2012-08-22 in Apport revision
2464
(http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464).
This code was first included in release 2.6.1. All Ubuntu Desktop
versions after 12.05 (Precise) include this vulnerable code by default.
An easy fix would be to parse the value as JSON instead of eval()'ing
it.
There is also a path traversal issue where the Package or SourcePackage
fields are not sanitized before being used to build a path to the
package specific hook files in the /usr/share/apport/package-hooks/
directory.
By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a
remote attacker could exploit this bug to execute Python scripts that
have be placed in the user's Downloads directory.
Would you like to apply for a CVE for this issues or should I? I'd like
to see these issue fixed soon so that Ubuntu users can be kept safe. I'm
planning to publish a blog post about these issues but I'll wait until
patched version of Apport are available in the repositories.
Please let me know if you have any questions.
Kind Regards,
Donncha
===================== 8< ==========================
I just talked to Donna on Jabber, and he plans to disclose that in
around a week.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
