desktop-packages team mailing list archive

Thread
Date
[Bug 1492570] Re: /usr/share/apport/kernel_crashdump accesses files in insecure manner

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1492570@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Sep 2015 12:02:28 -0000
Reply-to: Bug 1492570 <1492570@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apport - 2.14.1-0ubuntu3.15

---------------
apport (2.14.1-0ubuntu3.15) trusty-security; urgency=medium

  [ Martin Pitt ]
  * SECURITY FIX: kernel_crashdump: Enforce that the log/dmesg files are not a
    symlink.
    This prevents normal users from pre-creating a symlink to the predictable
    .crash file, and thus triggering a "fill up disk" DoS attack when the
    .crash report tries to include itself. Also clean up the code to make this
    easier to read: Drop the "vmcore_root" alias, move the vmcore and
    vmcore.log cleanup into the "no kdump" section, and replace the buggy
    os.walk() loop with a glob to only catch direct timestamp subdirectories
    of /var/crash/.
    Thanks to halfdog for discovering this!
    (CVE-2015-1338, part of LP #1492570)
  * SECURITY FIX: Fix all writers of report files to open the report file
    exclusively.
    Fix package_hook, kernel_crashdump, and similar hooks to fail if the
    report already exists. This prevents privilege escalation through symlink
    attacks. Note that this will also prevent overwriting previous reports
    with the same same. Thanks to halfdog for discovering this!
    (CVE-2015-1338, LP: #1492570)

  [ Marc Deslauriers ]
  * This package does _not_ contain the changes from 2.14.1-0ubuntu3.14 in
    trusty-proposed.

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 23 Sep 2015
11:28:26 -0400

** Changed in: apport (Ubuntu Trusty)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1492570

Title:
  /usr/share/apport/kernel_crashdump accesses files in insecure manner

Status in Apport:
  Fix Committed
Status in apport package in Ubuntu:
  In Progress
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Vivid:
  Fix Released
Status in apport source package in Wily:
  In Progress

Bug description:
  On Ubuntu Vivid Linux distribution upstart or SysV init invokes the
  program /usr/share/apport/kernel_crashdump at boot to prepare crash
  dump files for sending. This action is performed with root privileges.
  As the crash dump directory /var/crash/ is world writable and
  kernel_crashdump performs file access in unsafe manner, any local user
  may trigger a denial of service or escalate to root privileges. If
  symlink and hardlink protection is enabled (which should be the
  default for any modern system), only denial of service is possible.

  Problematic syscall in kernel_crashdump is:

  open("/var/crash/linux-image-3.19.0-18-generic.0.crash", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0666) = 30
  ...
  open("/var/crash/vmcore.log", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 31

  Thus the output file is opened unconditionally and without O_EXCL or
  O_NOFOLLOW. Also opening of input file does not care about links.

  By sym- or hardlinking from the predictable dump file name to the
  vmcore.log, kernel_crashdump will recursively include its own dump as
  logfile, thus filling the disk. This also works with symlink and
  hardlink protection turned on.

  By symlinking to other files (with symlink protection off), arbitrary
  files can be overwritten to gain root privileges.

  # lsb_release -rd
  Description:    Ubuntu 15.04
  Release:        15.04

  # apt-cache policy apport
  apport:
    Installed: 2.17.2-0ubuntu1.3
    Candidate: 2.17.2-0ubuntu1.3
    Version table:
   *** 2.17.2-0ubuntu1.3 0
          500 http://archive.ubuntu.com/ubuntu/ vivid-updates/main i386 Packages
          100 /var/lib/dpkg/status
       2.17.2-0ubuntu1.1 0
          500 http://archive.ubuntu.com/ubuntu/ vivid-security/main i386 Packages
       2.17.2-0ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages

  
  See http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ for more information and follow the link on the bottom if you know what you are doing (user: InvitedOnly, pass: w0f63smR).

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1

  Anyone helping to fix, analyze, mitigate, the security issue at
  http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/
  to improve security is allowed to view and use this resource. It
  may be passed on (including password) to other security engineers
  under the same conditions at your own risk. Free circulation
  of that resource is allowed as soon as password protection was
  removed or when stated on the page itself.
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1

  iEYEARECAAYFAlXqzOcACgkQxFmThv7tq+7GTwCgiwCkUqsB0qiwGIktUMIPqgXY
  9bYAni2R8hAZVWWrtPZ+xsDgHGgWq2gL
  =Y4E5
  -----END PGP SIGNATURE-----

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1492570/+subscriptions