apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

read_file() in apport/hookutils.py follows symbolic links and opens FIFOs, bypassing protections. When used by the openjdk-14 package apport hooks, the add_info() function in package-hooks/source_openjdk-*.py constructs a file path from the user-controlled ProcCwd field and a derived PID. The path is not sanitized and can point to a symlink or FIFO, leading to arbitrary file reads. This affects Ubuntu default installations with the openjdk-14 package [1].

Exploitation

A local attacker with the ability to control the ProcCwd in a crash report (e.g., by triggering a crash from a controlled directory) can set a symbolic link at the expected path to a sensitive file (e.g., /etc/shadow). When read_file() follows the symlink or opens the FIFO, the file’s contents are captured in the HotspotError report key. No special privileges beyond local user access are required; the sysctl fs.protected_symlinks does not mitigate this particular code path [1].

Impact

Successful exploitation allows a local attacker to read arbitrary files on the system, including confidential data such as SSH keys, passwords, or other users' private files. The crafted crash report can be inspected by the attacker, leading to information disclosure [1].

Mitigation

Ubuntu 20.04 LTS and 21.04 are affected. The apport package was fixed in version 2.20.11-0ubuntu82.5 for 20.04 LTS and 2.20.11-0ubuntu63.1 for 21.04. Users should update apport to the patched version. No workaround is available; the hook’s code path must be fixed. The issue is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog [1].