tags: Ubuntu apport vulnerability CVE-2013-1067
I observed that Desktop Ubuntu writes out core files from
This is already bad since sensitive data is often contained in core dumps
(see previous post).
Worse, the files were written out with weak permissions, readable by
the originating user, even though that user might not otherwise have access to data
read by a setuid process. Finally,
apport automatically ships
these files to Canonical (HTTPS) to aid with diagnostics. And
it's not as if anyone would use crash reports for anything
Canonical only agreed to fix the weak file permissions so if you are running Desktop Ubuntu you should follow the recommendations below (or stop running Desktop Ubuntu). If you have ever had a program crash whilst using Desktop Ubuntu and you clicked "OK" to the "Send in a crash report?" pop-up then you should consider that any information that it had access to has been compromised.
When a program run under Ubuntu crashes and attempts to dump core it hits the kernel
core pattern parameter. This invokes the
apport utility via a "pipe handler" (see
kernel docs for
kernel.core_pattern = |/usr/share/apport/apport %p %s %c
apport writes to
/var/log/apport.log and writes a crash dump under
A second package
whoopsie acts as an
listener on the
/var/crash directory and sends the dumps to Canonical's
Errors system, errors.ubuntu.com.
Ubuntu wiki entries:
/etc/sysctl.confor one of the files in
root@ubuntu:~# echo 'fs.suid_dumpable = 0' >> /etc/sysctl.conf
root@ubuntu:~# echo 'kernel.core_pattern = core' >> /etc/sysctl.conf
root@ubuntu:~# aptitude purge apport whoopsie \ apport-gtk apport-kde \ apport-retrace apport-symptoms \ dh-apport python-apport
apportthen apply the update from the USN (or better: enable automatic package updates).