** Changed in: apport
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/2107472
Title:
Race condition when forwarding core files to containers
Status in Apport:
Fix Released
Status in apport package in Ubuntu:
Fix Released
Bug description:
Qualys discovered a vulnerability in apport (Ubuntu's core-dump
handler), and a similar vulnerability in systemd-coredump (which is
the default core-dump handler on Red Hat Enterprise Linux 9 and Fedora
for example): a race condition that allows a local attacker to crash a
SUID program and gain read access to the resulting core dump (by
quickly replacing the crashed SUID process with another process,
before its /proc/pid/ files are analyzed by the vulnerable core-dump
handler).
Unfortunately, while reading apport's code Qualys noticed that the function
that handles crashes inside namespaces (_check_global_pid_and_forward) is
called before the aforementioned security checks are run in
consistency_checks(); in other words, an attacker can trick apport's
_check_global_pid_and_forward() into
analyzing the wrong process, while the kernel still sends the core dump of
the originally crashed process to apport (over its file descriptor 0, stdin).
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/2107472/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
