Apport info disclosure via path traversal bug in read_file

Vulnerability

A path traversal vulnerability exists in the read_file() function in apport/hookutils.py. This issue affects Apport versions 2.14.1 prior to 2.14.1-0ubuntu3.29+esm8, 2.20.1 prior to 2.20.1-0ubuntu2.30+esm2, 2.20.9 prior to 2.20.9-0ubuntu7.26, and 2.20.11 prior to 2.20.11-0ubuntu27.20 and 2.20.11-0ubuntu65.3 [1][2]. Similar path traversal issues also exist in package hooks such as source_xorg.py, where an attacker-controlled Pid value is appended to a file path without sanitization [3].

Exploitation

A local attacker must have the ability to create a crafted crash report and have automatic crash reporting enabled (e.g., via whoopsie) [3]. The attacker creates a crash report with a malicious Pid field containing path traversal sequences (e.g., JRN/../../../../etc/shadow). When Apport processes the crash, it constructs a file path using the unsanitized Pid value and reads the target file, attaching its contents to the crash report. The attacker can then retrieve the file contents from the report [3].

Impact

Successful exploitation allows a local attacker to read arbitrary files on the system with the privileges of the Apport process (typically root). This can lead to disclosure of sensitive information such as /etc/shadow, potentially enabling privilege escalation or further compromise [1][2][3].

Mitigation

Update Apport to the fixed versions listed in the advisory: for Ubuntu 14.04 ESM, upgrade to 2.14.1-0ubuntu3.29+esm8; for Ubuntu 16.04 ESM, upgrade to 2.20.1-0ubuntu2.30+esm2; for Ubuntu 18.04 LTS, upgrade to 2.20.9-0ubuntu7.26; for Ubuntu 20.04 LTS, upgrade to 2.20.11-0ubuntu27.20; and for Ubuntu 21.04, upgrade to 2.20.11-0ubuntu65.3 [1][2]. As a workaround, disable automatic crash reporting if the update cannot be applied immediately. No known exploitation in the wild has been reported at the time of publication.