1. Ubuntu Security Notices
  2. USN-2609-1

USN-2609-1: Apport vulnerabilities

Publication date

21 May 2015

Overview

Apport could be tricked into creating arbitrary files as an administrator, resulting in privilege escalation.

Releases

Packages

  • apport - automatically generate crash reports for debugging

Details

Sander Bos discovered that Apport incorrectly handled permissions when
the system was configured to generate core dumps for setuid binaries. A
local attacker could use this issue to gain elevated privileges.
(CVE-2015-1324)

Philip Pettersson discovered that Apport contained race conditions
resulting core dumps to be generated with incorrect permissions in
arbitrary locations. A local attacker could use this issue to gain elevated
privileges. (CVE-2015-1325)

Sander Bos discovered that Apport incorrectly handled permissions when
the system was configured to generate core dumps for setuid binaries. A
local attacker could use this issue to gain elevated privileges.
(CVE-2015-1324)

Philip Pettersson discovered that Apport contained race conditions
resulting core dumps to be generated with incorrect permissions in
arbitrary locations. A local attacker could use this issue to gain elevated
privileges. (CVE-2015-1325)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
15.04 vivid apport –  2.17.2-0ubuntu1.1
14.10 utopic apport –  2.14.7-0ubuntu8.5
14.04 trusty apport –  2.14.1-0ubuntu3.11
12.04 precise apport –  2.0.1-0ubuntu17.9

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›