~mdeslaur/apport:sec202205

Branch merges

Propose for merging

Merged into ~apport-hackers/apport/+git/apport-old:main at revision cd7544bff0611ee8443a0051a9aa0041649abbab

Benjamin Drung: Approve on 2022-05-18

Diff: 554 lines (+228/-104)

4 files modified

apport/fileutils.py (+61/-7)
data/apport (+140/-91)
etc/init.d/apport (+3/-6)
tests/test_fileutils.py (+24/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

cd7544b... by Marc Deslauriers on 2022-05-18

Merge remote-tracking branch 'origin/main' into sec202205

ad92c3a... by Marc Deslauriers on 2022-05-18

Switch to using non-positional arguments

This also fixes the executable name parsing with spaces and with
embedded switches, and also uses the real UID and GID from the
kernel to make sure they match the process.

This fixes CVE-2022-28658 and CVE-2021-3899.

3e39695... by Marc Deslauriers on 2022-05-18

apport/fileutils.py: Do not call str in loop

4ffbd8b... by Marc Deslauriers on 2022-05-18

apport/fileutils.py: Fix typo in comment

80c60a9... by Marc Deslauriers on 2022-05-18

data/apport: Clarify error message

bee85b8... by Marc Deslauriers on 2022-05-18

Switch from chroot to container to validating socket owner

This fixes CVE-2022-1242, CVE-2022-28657.

CVE-2022-1242 would allow an attacker to trick Apport into connecting
to arbitrary sockets as the root user, possibly resulting in services
being spawned.

CVE-2022-28657 was the result of Apport not disabling the python crash
handler before chrooting into the container. This could allow an
attacker to import arbitrary python modules into the Apport script.

5271152... by Marc Deslauriers on 2022-05-18

Refactor duplicate code into search_map() function

b2cf571... by Marc Deslauriers on 2022-05-18

Turn off interpolation in get_config() to prevent DoS attacks

This fixes CVE-2022-28652, a Billion laughs attack.

b240f8b... by Marc Deslauriers on 2022-05-18

Validate D-Bus socket location

This fixes CVE-2022-28655.

An attacker could specify an arbitray DBus address, and possibly cause
Apport to make TCP connections.

1b3a077... by Marc Deslauriers on 2022-05-18

Limit memory and duration of gdbus call

This fixes CVE-2022-28654, CVE-2022-28656.

CVE-2022-28654 would allow an attacker to fill up apport.log,
resulting in a denial of service.

CVE-2022-28656 would allow an attacker to hold the DBus connection
open and cause Apport to consume memory.