Apport

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Published: 2025-12-10T18:00:35.967Z
Updated: 2025-12-10T18:45:08.960Z

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

Published: 2025-05-30T17:37:01.006Z
Updated: 2025-11-03T20:05:43.609Z

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

Published: 2023-04-13T22:35:19.704Z
Updated: 2025-02-07T15:54:48.365Z

Apport does not disable python crash handler before entering chroot

Published: 2024-06-04T22:02:26.017Z
Updated: 2024-08-03T05:56:16.428Z

Users can consume unlimited disk space in /var/crash

Published: 2025-01-31T00:50:49.677Z
Updated: 2025-02-07T15:56:12.162Z

Apport can be tricked into connecting to arbitrary sockets as the root user

Published: 2024-06-03T18:48:02.281Z
Updated: 2025-03-27T19:31:12.082Z

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

Published: 2024-06-03T18:40:32.847Z
Updated: 2024-08-19T14:10:41.358Z

An information disclosure via path traversal was discovered in apport/hookutils.py function read_file(). This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

Published: 2021-10-01T02:35:22.911Z
Updated: 2024-09-17T01:41:25.529Z

Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

Published: 2021-10-01T02:35:21.228Z
Updated: 2024-09-16T23:31:13.094Z

It was discovered that the process_report() function in data/whoopsie-upload-all allowed arbitrary file writes via symlinks.

Published: 2021-06-12T03:40:43.352Z
Updated: 2024-09-16T17:53:05.508Z

It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call.

Published: 2021-06-12T03:40:42.604Z
Updated: 2024-09-16T19:51:18.523Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg-hwe-18.04 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:41.851Z
Updated: 2024-09-16T20:47:23.455Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:41.158Z
Updated: 2024-09-16T23:20:32.516Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:40.514Z
Updated: 2024-09-16T22:51:04.819Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:39.859Z
Updated: 2024-09-17T02:37:33.692Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-15 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:39.210Z
Updated: 2024-09-16T20:21:31.720Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-14 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:38.559Z
Updated: 2024-09-16T23:22:01.152Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-13 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:37.848Z
Updated: 2024-09-16T23:11:32.731Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-8 package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:37.135Z
Updated: 2024-09-16T18:29:09.540Z

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-lts package apport hooks, it could expose private data to other local users.

Published: 2021-06-12T03:40:36.400Z
Updated: 2024-09-17T03:18:22.707Z

It was discovered that apport in data/apport did not properly open a report file to prevent hanging reads on a FIFO.

Published: 2021-06-11T02:20:20.510Z
Updated: 2025-11-03T19:25:41.029Z

It was discovered that the get_starttime() function in data/apport did not properly parse the /proc/pid/stat file from the kernel.

Published: 2021-06-11T02:20:19.881Z
Updated: 2024-09-16T22:03:30.982Z

It was discovered that the get_pid_info() function in data/apport did not properly parse the /proc/pid/status file from the kernel.

Published: 2021-06-11T02:20:19.233Z
Updated: 2024-09-17T00:46:19.717Z

Time-of-check Time-of-use Race Condition vulnerability on crash report ownership change in Apport allows for a possible privilege escalation opportunity. If fs.protected_symlinks is disabled, this can be exploited between the os.open and os.chown calls when the Apport cron script clears out crash files of size 0. A symlink with the same name as the deleted file can then be created upon which chown will be called, changing the file owner to root. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Published: 2020-04-22T21:15:18.859Z
Updated: 2024-09-16T20:53:27.660Z

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Published: 2020-04-22T21:15:18.418Z
Updated: 2024-09-16T19:00:55.009Z

TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges. Fixed in 2.20.1-0ubuntu2.24, 2.20.9 versions prior to 2.20.9-0ubuntu7.16 and 2.20.11 versions prior to 2.20.11-0ubuntu27.6. Was ZDI-CAN-11234.

Published: 2020-08-06T22:50:22.871Z
Updated: 2025-11-03T19:25:30.971Z

An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.16, 2.20.11-0ubuntu27.6.

Published: 2020-08-06T22:50:22.407Z
Updated: 2024-09-16T20:52:16.329Z

Apport reads and writes information on a crashed process to /proc/pid with elevated privileges. Apport then determines which user the crashed process belongs to by reading /proc/pid through get_pid_info() in data/apport. An unprivileged user could exploit this to read information about a privileged running process by exploiting PID recycling. This information could then be used to obtain ASLR offsets for a process with an existing memory corruption vulnerability. The initial fix introduced regressions in the Python Apport library due to a missing argument in Report.add_proc_environ in apport/report.py. It also caused an autopkgtest failure when reading /proc/pid and with Python 2 compatibility by reading /proc maps. The initial and subsequent regression fixes are in 2.20.11-0ubuntu16, 2.20.11-0ubuntu8.6, 2.20.9-0ubuntu7.12, 2.20.1-0ubuntu2.22 and 2.14.1-0ubuntu3.29+esm3.

Published: 2020-04-27T23:25:19.961Z
Updated: 2025-11-03T19:25:26.757Z

Sander Bos discovered Apport's lock file was in a world-writable directory which allowed all users to prevent crash handling.

Published: 2020-02-08T04:50:23.604Z
Updated: 2024-09-16T16:57:41.110Z

Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user.

Published: 2020-02-08T04:50:22.806Z
Updated: 2025-11-03T19:25:22.572Z

Sander Bos discovered a time of check to time of use (TOCTTOU) vulnerability in apport that allowed a user to cause core files to be written in arbitrary directories.

Published: 2020-02-08T04:50:22.302Z
Updated: 2024-09-17T00:00:44.526Z

Kevin Backhouse discovered that apport would read a user-supplied configuration file with elevated privileges. By replacing the file with a symbolic link, a user could get apport to read any file on the system as root, with unknown consequences.

Published: 2020-02-08T04:50:21.892Z
Updated: 2024-09-16T23:25:27.956Z

Any Python module in sys.path can be imported if the command line of the process triggering the coredump is Python and the first argument is -m in Apport before 2.19.2 function _python_module_path.

Published: 2019-04-22T15:35:59.329Z
Updated: 2024-09-16T23:45:46.716Z