group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1648806] Re: Arbitrary code execution through crafted CrashDB or Package/Source fields in .crash files

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Wed, 14 Dec 2016 22:06:22 -0000
Reply-to: Bug 1648806 <1648806@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

New upstream release with the fixes:
https://launchpad.net/apport/trunk/2.20.4

Note that Brian committed some changes to trunk in the last 1.5 hours,
so we had some mid-air collection. I force-pushed trunk and will put
back his commits on top.

** Changed in: apport
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648806

Title:
  Arbitrary code execution through crafted CrashDB or Package/Source
  fields in .crash files

Status in Apport:
  Fix Released
Status in apport package in Ubuntu:
  Fix Committed
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Yakkety:
  New
Status in apport source package in Zesty:
  Fix Committed

Bug description:
  Forwarding private (encrypted) mail from Donncha O'Cearbhaill
  <donncha@xxxxxxxxxx>:

  ===================== 8< ==========================
  Hi Martin,

  I have been auditing the Apport software in my free time and
  unfortunately I have found some serious security issues.

  Untrusted files can be passed to apport-gtk as it is registered as the
  default file handler for "text/x-apport" files. The mime-type includes
  .crash files but also any unknown file type which begins with
  "ProblemType: ". An attacker could social engineer a victim into opening
  a malicious Apport crash file simply by clicking on it.

  In apport/ui.py, Apport is reading the CrashDB field and then it then
  evaluates the field as Python code if it begins with a "{". This is very
  dangerous as it can allow remote attackers to execute arbitrary Python code.

  The vulnerable code was introduce on 2012-08-22 in Apport revision
  2464
  (http://bazaar.launchpad.net/~apport-hackers/apport/trunk/files/2464).
  This code was first included in release 2.6.1. All Ubuntu Desktop
  versions after 12.05 (Precise) include this vulnerable code by default.

  An easy fix would be to parse the value as JSON instead of eval()'ing
  it.

  There is also a path traversal issue where the Package or SourcePackage
  fields are not sanitized before being used to build a path to the
  package specific hook files in the /usr/share/apport/package-hooks/
  directory.

  By setting "Package: ../../../../proc/self/cwd/Downloads/rce-hook.py" a
  remote attacker could exploit this bug to execute Python scripts that
  have be placed in the user's Downloads directory.

  Would you like to apply for a CVE for this issues or should I? I'd like
  to see these issue fixed soon so that Ubuntu users can be kept safe. I'm
  planning to publish a blog post about these issues but I'll wait until
  patched version of Apport are available in the repositories.

  Please let me know if you have any questions.

  Kind Regards,
  Donncha
  ===================== 8< ==========================

  I just talked to Donna on Jabber, and he plans to disclose that in
  around a week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1648806/+subscriptions