apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

The read_file() function in apport/hookutils.py follows symbolic links and opens FIFOs without restriction. When used by the openjdk-13 package apport hooks (source_openjdk-*.py), the add_info() function constructs a file path using user-controlled ProcCwd data without proper sanitization, enabling directory traversal. This allows reading hs_err_pid.log from attacker-controlled paths. The issue affects default Ubuntu installations with the apport package and the openjdk-13 hooks [1].

Exploitation

A local attacker can exploit this by crafting a crash report that sets ProcCwd to a directory containing a symlink or FIFO (e.g., pointing to /etc/shadow). When the apport hook processes the crash, it calls read_file() on the attacker-controlled path, following the symlink or opening the FIFO. The attacker needs only local user access and the ability to trigger a crash (e.g., by causing a Java crash) [1].

Impact

Successful exploitation results in disclosure of any file on the system that the apport process (running as root or with elevated privileges) can read. This includes sensitive private data of other local users, such as SSH keys, passwords, or configuration files. The confidentiality of the system is compromised [1].

Mitigation

A fix was released in apport version 2.20.11-0ubuntu50.13 (and later) for Ubuntu 20.04 LTS, and similarly for other affected releases. The fix ensures read_file() checks for symlinks and FIFOs and does not follow them. Users should update their apport package. The sysctl setting fs.protected_symlinks mitigates some instances but not this specific one on default installations [1].