Apport file permission bypass through emacs byte compilation errors
Description
Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted crash file can trick Apport's emacs hook into attaching arbitrary files, leaking sensitive local data.
Vulnerability
The function check_attachment_for_errors() in data/general-hooks/ubuntu.py of Apport mishandles user-controlled crash files. When the crash report indicates a Package like emacs22, emacs23, emacs-snapshot, or xemacs21, and the DpkgTerminalLog field contains text matching the pattern !! Byte-compilation for x?emacs\S+ failed!, the code extracts a file path from the log line !! and attach the file and attaches that file to the report without proper sanitization [3]. This affects Apport versions: 2.14.1 prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 prior to 2.20.9-0ubuntu7.26; 2.20.11 prior to 2.20.11-0ubuntu27.20; 2.20.11 prior to 2.20.11-0ubuntu65.3 [1][2].
Exploitation
An attacker with local access to the system can craft a .crash file with a ProblemType: Package value and a DpkgTerminalLog field containing a line that invokes the emacs byte-compilation regex, followed by an !! and attach the file /path/to/target directive (e.g., /etc/shadow). If automatic crash reporting is enabled, Apport processes the file, extracts the attacker-specified path via a regular expression, and attaches that file's contents to the resulting crash report [3]. The attacker then retrieves the report (e.g., from /var/crash/) to read the included sensitive data.
Impact
Successful exploitation allows a local unprivileged attacker to read arbitrary files on the system. Sensitive files such as /etc/shadow (which contains hashed password data) can be exposed, leading to credential disclosure and potential privilege escalation. The compromise is limited to read access, but the confidentiality impact is high because the attacker can target any file readable by the Apport process (typically root) [1][2][3].
Mitigation
Fixed Apport packages were released on 14 September 2021 and are available via Ubuntu security updates (USN-5077-1 for most releases, USN-5077-2 for Ubuntu 14.04 ESM and 16.04 ESM) [1][2]. Users should upgrade to the corrected versions: apport 2.14.1-0ubuntu3.29+esm8, 2.20.1-0ubuntu2.30+esm2, 2.20.9-0ubuntu7.26, 2.20.11-0ubuntu27.20, or 2.20.11-0ubuntu65.3, as appropriate. There is no documented workaround; disabling automatic crash reporting may reduce exposure but is not a complete mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.14.1 < 2.14.1-0ubuntu3.29+esm8; 2.20.1 < 2.20.1-0ubuntu2.30+esm2; 2.20.9 < 2.20.9-0ubuntu7.26; 2.20.11 < 2.20.11-0ubuntu27.20; 2.20.11 < 2.20.11-0ubuntu65.3
- Range: 2.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- bugs.launchpad.net/ubuntu/+source/apport/+bug/1934308mitrex_refsource_MISC
- cve.mitre.org/cgi-bin/cvename.cgimitrex_refsource_MISC
- ubuntu.com/security/notices/USN-5077-1mitrex_refsource_MISC
- ubuntu.com/security/notices/USN-5077-2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.