CVE-2020-8831

Summary

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Affected Software

VendorProductVersion RangeStatus
CanonicalApport2.20.1 < 2.20.1-0ubuntu2.23affected
CanonicalApport2.20.9 < 2.20.9-0ubuntu7.14affected
CanonicalApport2.20.11 < 2.20.11-0ubuntu8.8affected

Weaknesses

  • CWE-379: CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

ADP Enrichment

CVE Program Container

Additional References

References