This security introduces a regression. See bug #2112272. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2107472
Title: Race condition when forwarding core files to containers Status in Apport: Fix Committed Status in apport package in Ubuntu: Fix Released Bug description: Qualys discovered a vulnerability in apport (Ubuntu's core-dump handler), and a similar vulnerability in systemd-coredump (which is the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora for example): a race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (by quickly replacing the crashed SUID process with another process, before its /proc/pid/ files are analyzed by the vulnerable core-dump handler). Unfortunately, while reading apport's code Qualys noticed that the function that handles crashes inside namespaces (_check_global_pid_and_forward) is called before the aforementioned security checks are run in consistency_checks(); in other words, an attacker can trick apport's _check_global_pid_and_forward() into analyzing the wrong process, while the kernel still sends the core dump of the originally crashed process to apport (over its file descriptor 0, stdin). To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/2107472/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
