apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

read_file() in apport/hookutils.py follows symbolic links and opens FIFO files without validation. When used by the xorg-hwe-18.04 apport hook, a local attacker can trick it into reading arbitrary files [1]. Note that default Ubuntu installations have fs.protected_symlinks enabled (sysctl), which mitigates this specific scenario [1]. Affected versions include those of the xorg-hwe-18.04 package using apport before the fix.

Exploitation

An attacker needs local access to the system (user account). They create a symbolic link from a file path that the hook will read (e.g., a crash-related path) to a targeted file (e.g., /etc/shadow). When a crash triggers the apport hook, read_file() follows the symlink and reads the target file's content. The condition requires a crash in the Xorg stack within the hwe-18.04 environment and that the hook's logic does not sanitize the path before calling read_file() [1].

Impact

Successful exploitation leads to disclosure of arbitrary file contents that the crash-reporting user can read, including sensitive files owned by that user or world-readable files. However, on default installations with fs.protected_symlinks=1, the kernel prevents following symlinks in world-writable sticky directories, so impact is limited to non-default configurations or certain specific paths [1].

Mitigation

Ubuntu addressed this issue by fixing read_file() in apport (Bug #1917904) to not follow symlinks or open FIFOs [1]. The fix was released via security updates. Users should ensure their apport package is updated to the latest version. As a workaround, maintaining the fs.protected_symlinks=1 sysctl setting (default on Ubuntu) mitigates exploitation [1]. No workaround for the FIFO aspect is documented aside from the patch.