First Last Prev Next    This bug is not in your last search results.
Bug 947731 - (CVE-2015-1338) VUL-0: CVE-2015-1338: apport: kernel_crashdump accesses files in insecure manner
(CVE-2015-1338)
VUL-0: CVE-2015-1338: apport: kernel_crashdump accesses files in insecure manner
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/157006/
CVSSv2:NVD:CVE-2015-1338:7.2:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-28 08:05 UTC by Victor Pereira
Modified: 2018-02-09 06:14 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-28 08:05:00 UTC 
CVE-2015-1338

it was discovered that Apport incorrectly handled kernel crash dump files.
A local attacker could use this issue to cause a denial of service, or
possibly elevate privileges. The default symlink protections for affected
releases should reduce the vulnerability to a denial of service.

References:
http://www.ubuntu.com/usn/usn-2744-1/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1338
Comment 1 Swamp Workflow Management 2015-09-28 22:00:18 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-10-01 10:17:56 UTC 
Upstream bug:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1492570

Reproduction and research:
http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/

Commits:
http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3007
http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3008

http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3008?remember=3006&compare_revid=3006

We have this package in SLE 11 in a very old version. The insecure use of file open is in that code. The patch above needs serious re-work.

Assign to SLE 11 maintainer. Requesting update as this is a local privilege escalation (is hardlink / symlink protection available on SLE 11?)
Comment 3 Marcus Meissner 2017-03-01 12:59:57 UTC 
Jan, your submission is still missing...
Comment 7 Matthias Gerstner 2017-07-20 15:05:29 UTC 
nela asked me in IRC to analyze the PoCs for this issue, because they're
pretty complex. It turns out that the whole exploit is based on /var/crash
being world writable. While this seemed to be the case on Ubuntu back then, it
is not the case in our SLE-11 distributions.

This is makes no sense to further investigate the PoCs. This bugfix can be
viewed as a kind of hardening but the issue doesn't affect us.

The reproducers can thus be skipped.
Comment 8 Swamp Workflow Management 2017-07-24 19:11:51 UTC 
SUSE-SU-2017:1938-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 947731
CVE References: CVE-2015-1338
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    apport-0.114-12.8.3.1, apport-crashdb-sle-0.114-0.8.3.1
Comment 9 Tomáš Chvátal 2018-01-25 15:51:49 UTC 
Well the requested stuff was released...
Comment 10 Marcus Meissner 2018-02-09 06:14:13 UTC 
released
First Last Prev Next    This bug is not in your last search results.