touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #79692
[Bug 1452239] Re: root escalation with fs.suid_dumpable=2
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1452239
Title:
root escalation with fs.suid_dumpable=2
Status in Apport crash detection/reporting:
Fix Released
Status in apport package in Ubuntu:
Fix Committed
Status in apport source package in Precise:
Fix Released
Status in apport source package in Trusty:
Fix Released
Status in apport source package in Utopic:
Fix Released
Status in apport source package in Vivid:
Fix Released
Status in apport source package in Wily:
Fix Committed
Bug description:
Sander Bos discovered that Apport enabled a user to perform a root
escalation since it now configures fs.suid_dumpable=2.
Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does
I've set a CRD of 2015-05-21 (original proposal: 2015-05-12) for the
publication of this issue.
I have assigned CVE-2015-1324 to this issue.
We can either:
1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location
To manage notifications about this bug go to:
https://bugs.launchpad.net/apport/+bug/1452239/+subscriptions