apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

CVE-2021-32547 is a security issue in Apport, the Ubuntu crash-reporting system, specifically in the read_file() function in apport/hookutils.py. When this function is used by the openjdk-lts package apport hook (source_openjdk-*.py), it follows symbolic links or opens FIFOs. The add_info() function in that hook constructs a file path from user-controlled data (ProcCwd and Pid fields from the crash report) without sanitizing it, enabling directory traversal. This affects Apport versions prior to the fix shipped in Ubuntu 21.04, 20.10, 20.04 LTS, and 18.04 LTS [1].

Exploitation

An attacker with local access can trigger a controlled crash (or use an existing crash report) containing a crafted ProcCwd value that includes path traversal or symlink pointers. When the Apport hook processes the crash, it calls read_file() on the constructed path, which follows symlinks regardless of the fs.protected_symlinks sysctl setting. The attacker does not need elevated privileges; they only need to be able to write to a directory that is used as ProcCwd in a crash report, and the vulnerable hook must be installed [1].

Impact

Successful exploitation allows the local attacker to read the first 100 KB of any file on the system that the Apport user (typically root) can read. This includes sensitive private data from other users, such as SSH keys, passwords, or configuration files, potentially leading to privilege escalation or lateral movement [1].

Mitigation

Ubuntu released fixed Apport packages on 2021-06-12. Users should upgrade to apport version 2.20.11-0ubuntu50.5 (21.04), 2.20.11-0ubuntu27.17 (20.10), 2.20.11-0ubuntu27.17 (20.04 LTS), or 2.20.11-0ubuntu50.5 (18.04 LTS). A workaround is to manually set fs.protected_symlinks=1 which mitigates some similar issues but not this one; the only complete fix is applying the package update [1].