Published: 18 July 2017
An issue was discovered in Apport through 2.20.x. In apport/report.py, Apport sets the ExecutablePath field and it then uses the path to run package specific hooks without protecting against path traversal. This allows remote attackers to execute arbitrary code via a crafted .crash file.
CVSS 3 base score: 7.8
Launchpad, Ubuntu, Debian
|Ubuntu 16.04 ESM (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
Apport registers itself as the default handler for .crash files so an attacker could trick a user into opening a malicious .crash file and execute arbitrary code as the user. A potential method of hardening apport against these types of attacks is to unregister it as the handler for .crash files.