apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

In apport/hookutils.py, the read_file() function follows symbolic links or opens FIFOs without checking for them. When invoked by the openjdk-17 package's Apport hook (source_openjdk-*.py), an attacker can cause the hook to read an arbitrary file by creating a symlink or FIFO at a path constructed from user-controlled data (ProcCwd) and a PID, leading to disclosure of private data [1]. The issue affects Apport versions prior to the fix and was disclosed via Launchpad bug #1917904.

Exploitation

An attacker needs local access to the system and the ability to run a Java process that crashes, triggering the Apport crash reporting hook. They can control the working directory (ProcCwd) of the crashing process. By placing a symbolic link or FIFO (named pipe) at the path hs_err_pid.log within that directory, the attacker redirects read_file() to read any file they choose. No special privileges are required beyond being able to execute code that crashes a Java process [1].

Impact

Successful exploitation results in arbitrary file read as the apport user, which typically has broad read access to system files. The attacker can exfiltrate private data, such as credentials, keys, or other sensitive information from other local users or the system. The confidentiality of the affected system is compromised; integrity and availability are not directly impacted [1].

Mitigation

Ubuntu fixed this issue by updating Apport to not follow symbolic links or open FIFOs in read_file(). Users should upgrade the apport package to the patched version. The fix was released in Apport version 2.20.11-0ubuntu82.5 for Ubuntu 20.04 LTS and corresponding updates for other releases. As a workaround, systems with the sysctl fs.protected_symlinks set to 1 (default on Ubuntu) mitigate symlink attacks but not FIFO attacks [1].