Bug 947731 - (CVE-2015-1338) VUL-0: CVE-2015-1338: apport: kernel_crashdump accesses files in insecure manner
VUL-0: CVE-2015-1338: apport: kernel_crashdump accesses files in insecure manner
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-09-28 08:05 UTC by Victor Pereira
Modified: 2018-02-09 06:14 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-28 08:05:00 UTC

it was discovered that Apport incorrectly handled kernel crash dump files.
A local attacker could use this issue to cause a denial of service, or
possibly elevate privileges. The default symlink protections for affected
releases should reduce the vulnerability to a denial of service.

Comment 1 Swamp Workflow Management 2015-09-28 22:00:18 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-10-01 10:17:56 UTC
Upstream bug:

Reproduction and research:



We have this package in SLE 11 in a very old version. The insecure use of file open is in that code. The patch above needs serious re-work.

Assign to SLE 11 maintainer. Requesting update as this is a local privilege escalation (is hardlink / symlink protection available on SLE 11?)
Comment 3 Marcus Meissner 2017-03-01 12:59:57 UTC
Jan, your submission is still missing...
Comment 7 Matthias Gerstner 2017-07-20 15:05:29 UTC
nela asked me in IRC to analyze the PoCs for this issue, because they're
pretty complex. It turns out that the whole exploit is based on /var/crash
being world writable. While this seemed to be the case on Ubuntu back then, it
is not the case in our SLE-11 distributions.

This is makes no sense to further investigate the PoCs. This bugfix can be
viewed as a kind of hardening but the issue doesn't affect us.

The reproducers can thus be skipped.
Comment 8 Swamp Workflow Management 2017-07-24 19:11:51 UTC
SUSE-SU-2017:1938-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 947731
CVE References: CVE-2015-1338
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    apport-0.114-, apport-crashdb-sle-0.114-
Comment 9 Tomáš Chvátal 2018-01-25 15:51:49 UTC
Well the requested stuff was released...
Comment 10 Marcus Meissner 2018-02-09 06:14:13 UTC