[Touch-packages] [Bug 2107472] Re: Three bypasses

Fri, 30 May 2025 05:22:25 -0700 

The fixes have been released and the CVE has been made public:
* 
https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
* https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt

** Summary changed:

- Three bypasses
+ Local information disclosure in apport (Three bypasses)

** Information type changed from Private Security to Public Security

** Also affects: apport
   Importance: Undecided
       Status: New

** Changed in: apport
    Milestone: None => 2.33.0

** Changed in: apport (Ubuntu)
       Status: Triaged => Fix Released

** Changed in: apport
   Importance: Undecided => High

** Changed in: apport
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2107472

Title:
  Local information disclosure in apport (Three bypasses)

Status in Apport:
  In Progress
Status in apport package in Ubuntu:
  Fix Released

Bug description:
  Qualys discovered a vulnerability in apport (Ubuntu's core-dump
  handler), and a similar vulnerability in systemd-coredump (which is
  the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora
  for example): a race condition that allows a local attacker to crash a
  SUID program and gain read access to the resulting core dump (by
  quickly replacing the crashed SUID process with another process,
  before its /proc/pid/ files are analyzed by the vulnerable core-dump
  handler).

  Unfortunately, while reading apport's code Qualys noticed that the function 
that handles crashes inside namespaces (_check_global_pid_and_forward) is 
called before the aforementioned security checks are run in 
consistency_checks(); in other words, an attacker can trick apport's 
_check_global_pid_and_forward() into
  analyzing the wrong process, while the kernel still sends the core dump of 
the originally crashed process to apport (over its file descriptor 0, stdin).

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2107472/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to