apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

The read_file() function in apport/hookutils.py follows symbolic links or opens FIFOs when invoked by the openjdk-16 package apport hooks. This insufficient path validation allows a local attacker to trick the add_info() routine in source_openjdk-16.py into reading arbitrary files. The vulnerable code builds a file path using the user-controlled ProcCwd value from the crash report without proper sanitization [1]. This affects all versions of the openjdk-16 apport hooks shipped in Ubuntu releases prior to the fix.

Exploitation

A local attacker must first trigger a crash in the OpenJDK-16 runtime to generate a crash report. By crafting a ProcCwd value that is a symbolic link pointing to an arbitrary file (or a FIFO), the attacker can cause the add_info() hook to call read_file() on that path when the crash report is processed. No elevated privileges are required beyond the ability to create files and symlinks on the filesystem; the attack is performed within the normal crash reporting workflow [1].

Impact

Successful exploitation leads to disclosure of private data from any file the targeted user has read access to (e.g., SSH keys, credentials, or other sensitive documents). The attack is limited to local access and does not provide code execution or privilege escalation beyond reading the victim's files. The data is read and included in the generated crash report, which may be visible to the attacker if they have access to the crash report queue [1].

Mitigation

A fixed version of apport (2.20.11-0ubuntu65.2 or later) was released on 2021-06-11 by Canonical. Users are advised to update the apport package via apt update && apt upgrade. As a workaround, enabling the sysctl setting fs.protected_symlinks (default on Ubuntu) mitigates the issue, but the vendor recommends applying the patch. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].