Viewing all changes in revision 2958.
- Committer: Martin Pitt
- Date: 2015-05-13 09:15:08 UTC
- Revision ID: martin.pitt@canonical.com-20150513091508-k9fxhyzje1jtv4be
SECURITY UPDATE: Fix core dump file injection
When writing a core dump file for a crashed packaged program, don't close and
reopen the .crash report file but just rewind and re-read it. This prevents the
user from modifying the .crash report file while "apport" is running to inject
data and creating crafted core dump files.
By itself this is not a vulnerability, but in conjunction with the previous
vulnerability of writing core dump files to arbitrary directories
(CVE-2015-1324) this could be exploited to gain root privileges, by writing a
crafted "core" file to /etc/sudoers.d/, /etc/cron.d, or similar.
Thanks to Philip Pettersson for discovering this issue!
CVE-2015-1325
LP: #1453900
When writing a core dump file for a crashed packaged program, don't close and
reopen the .crash report file but just rewind and re-read it. This prevents the
user from modifying the .crash report file while "apport" is running to inject
data and creating crafted core dump files.
By itself this is not a vulnerability, but in conjunction with the previous
vulnerability of writing core dump files to arbitrary directories
(CVE-2015-1324) this could be exploited to gain root privileges, by writing a
crafted "core" file to /etc/sudoers.d/, /etc/cron.d, or similar.
Thanks to Philip Pettersson for discovering this issue!
CVE-2015-1325
LP: #1453900
- files modified:
- NEWS
expand all
collapse all
added
removed
