← Back to team overview

touch-packages team mailing list archive

[Bug 1452239] Re: root escalation with fs.suid_dumpable=2

 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1452239

Title:
  root escalation with fs.suid_dumpable=2

Status in Apport crash detection/reporting:
  Fix Released
Status in apport package in Ubuntu:
  Fix Committed
Status in apport source package in Precise:
  Fix Released
Status in apport source package in Trusty:
  Fix Released
Status in apport source package in Utopic:
  Fix Released
Status in apport source package in Vivid:
  Fix Released
Status in apport source package in Wily:
  Fix Committed

Bug description:
  Sander Bos discovered that Apport enabled a user to perform a root
  escalation since it now configures fs.suid_dumpable=2.

  Here's a brief description of the issue:
  1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
  2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
  3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does

  I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the
  publication of this issue.

  I have assigned CVE-2015-1324 to this issue.

  We can either:

  1- Disable fs.suid_dumpable=2
  2- Stop creating core dump files when they are to be created as root
  3- Create root-owned core dump files in a well-known location

To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions