SB2020111236 - Ubuntu update for apport

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-11481)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due Apport reads user-controlled settings files with root privileges. A local user can create a specially crafted settings file and force the application to read it. This could lead to application crash.

2) Race condition (CVE-ID: CVE-2019-11482)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a race condition. A local user can force the Apport application to generate a crash report for a privileged process and make it readable to an unprivileged user.

3) UNIX symbolic link following (CVE-ID: CVE-2019-11483)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the Apport mishandles crash dumps originating from containers. A local user can trigger a crush dump for a controlled container and force the Apport to generate a report for a privileged process.

4) Resource management error (CVE-ID: CVE-2019-11485)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to Apport mishandled lock-file creation. A local user can crash the Apport service.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-15790)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to Apport reads various process-specific files with elevated privileges during crash dump generation. A local user can force the application to generate a crash report for a privileged process and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-4171-6