apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

Apport's read_file() function in /usr/lib/python3/dist-packages/apport/hookutils.py follows symbolic links or opens FIFOs without checking ownership or protected symlinks. When called by the xorg package apport hooks, this behavior can be exploited to read arbitrary files on the system. The vulnerable code is present in apport versions prior to the fix. On default Ubuntu installations, the fs.protected_symlinks sysctl setting mitigates this issue, but if disabled, the vulnerability is exploitable [1].

Exploitation

A local unprivileged attacker can create a symbolic link in a location that the xorg apport hook will read (e.g., a world-writable directory like /tmp). The hook, often running as root or with high privileges, follows the symlink, allowing the attacker to read any file (e.g., /etc/shadow) and include its contents in a crash report. This requires that the attacker trigger a crash in xorg or otherwise cause the hook to execute with a crafted symlink [1].

Impact

Successful exploitation results in disclosure of sensitive information from any file on the system that the hook process can read, including password hashes, private keys, and other confidential data. The impact is limited to local users and depends on the system's symlink protection settings [1].

Mitigation

Ubuntu released a fix in apport version 2.20.11-0ubuntu82.1 or later (for Ubuntu 20.04 LTS) and other releases accordingly. Users should update the apport package via package manager. If immediate patching is not possible, enabling the fs.protected_symlinks sysctl (default on Ubuntu) prevents the attack by requiring symlink ownership to match the follower. No other workarounds are documented [1].