1. Ubuntu Security Notices
  2. USN-4171-5

USN-4171-5: Apport regression

Publication date

18 March 2020

Overview

USN-4171-1 introduced a regression in Apport.

Releases

Packages

  • apport - automatically generate crash reports for debugging

Details

USN-4171-1 fixed vulnerabilities in Apport. This caused a regression in
autopkgtest and python2 compatibility. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Kevin Backhouse discovered Apport would read its user-controlled settings
file as the root user. This could be used by a local attacker to possibly
crash Apport or have other unspecified consequences. (CVE-2019-11481)

Sander Bos discovered a race-condition in Apport during core dump
creation. This could be used by a local attacker to generate a crash report
for a privileged process that is readable by an unprivileged user.
(CVE-2019-11482)

Sander Bos discovered Apport mishandled crash dumps originating from
containers. This could be used by a local attacker to generate a crash
report for a privileged process that is readable by...

USN-4171-1 fixed vulnerabilities in Apport. This caused a regression in
autopkgtest and python2 compatibility. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Kevin Backhouse discovered Apport would read its user-controlled settings
file as the root user. This could be used by a local attacker to possibly
crash Apport or have other unspecified consequences. (CVE-2019-11481)

Sander Bos discovered a race-condition in Apport during core dump
creation. This could be used by a local attacker to generate a crash report
for a privileged process that is readable by an unprivileged user.
(CVE-2019-11482)

Sander Bos discovered Apport mishandled crash dumps originating from
containers. This could be used by a local attacker to generate a crash
report for a privileged process that is readable by an unprivileged user.
(CVE-2019-11483)

Sander Bos discovered Apport mishandled lock-file creation. This could be
used by a local attacker to cause a denial of service against Apport.
(CVE-2019-11485)

Kevin Backhouse discovered Apport read various process-specific files with
elevated privileges during crash dump generation. This could could be used
by a local attacker to generate a crash report for a privileged process
that is readable by an unprivileged user. (CVE-2019-15790)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
19.10 eoan apport –  2.20.11-0ubuntu8.6
python-apport –  2.20.11-0ubuntu8.6
python3-apport –  2.20.11-0ubuntu8.6
18.04 bionic apport –  2.20.9-0ubuntu7.12
python-apport –  2.20.9-0ubuntu7.12
python3-apport –  2.20.9-0ubuntu7.12
16.04 xenial apport –  2.20.1-0ubuntu2.22
python-apport –  2.20.1-0ubuntu2.22
python3-apport –  2.20.1-0ubuntu2.22

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›