apport get_modified_conffiles() function command injection

Vulnerability

The get_modified_conffiles() function in backends/packaging-apt-dpkg.py of Apport (the automatic crash report system) allowed injecting modified package names that could confuse the dpkg(1) call [1]. An attacker could craft a package name containing special characters or path traversal sequences, leading to execution of arbitrary dpkg commands. This vulnerability affects Apport versions prior to the fix.

Exploitation

An attacker needs the ability to submit a crafted crash report that includes a malicious package name. Since Apport handles crash reports from users, a local user can trigger a crash and provide a controlled package name. The function get_modified_conffiles() then passes this name to dpkg without proper sanitization, causing dpkg to process unintended files [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the system due to dpkg running with root privileges. This results in information disclosure of sensitive files. No remote code execution is achieved, but the confidentiality impact is high.

Mitigation

The vulnerability was fixed in a subsequent release of Apport. Users are advised to update the apport package to the latest version provided by their distribution. For Ubuntu systems, the fix is included in Apport 2.20.11-0ubuntu8.5 and later [1].