CVE-2021-32554

Summary

It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.

Affected Software

VendorProductVersion RangeStatus
Canonicalapport2.20.1 < 2.20.1-0ubuntu2.30+esm1affected
Canonicalapport2.20.9 < 2.20.9-0ubuntu7.24affected
Canonicalapport2.20.11-0ubuntu27 < 2.20.11-0ubuntu27.18affected
Canonicalapport2.20.11-0ubuntu50 < 2.20.11-0ubuntu50.7affected
Canonicalapport2.20.11-0ubuntu65 < 2.20.11-0ubuntu65.1affected
Canonicalapport2.14.1-0ubuntu3 < 2.14.1-0ubuntu3.29+esm7affected

Weaknesses

  • CWE-59: CWE-59 Improper Link Resolution Before File Access ('Link Following')
  • CWE-61: CWE-61 UNIX Symbolic Link (Symlink) Following

ADP Enrichment

CVE Program Container

Additional References

References