CVE-2020-8831

Published: 2 April 2020

Apport creates a world writable lock file with root ownership in the world writable /var/lock/apport directory. If the apport/ directory does not exist (this is not uncommon as /var/lock is a tmpfs), it will create the directory, otherwise it will simply continue execution using the existing directory. This allows for a symlink attack if an attacker were to create a symlink at /var/lock/apport, changing apport's lock file location. This file could then be used to escalate privileges, for example. Fixed in versions 2.20.1-0ubuntu2.23, 2.20.9-0ubuntu7.14, 2.20.11-0ubuntu8.8 and 2.20.11-0ubuntu22.

Priority

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package	Release	Status
apport Launchpad, Ubuntu, Debian	bionic	Released (2.20.9-0ubuntu7.14)
	eoan	Released (2.20.11-0ubuntu8.8)
	focal	Released (2.20.11-0ubuntu22)
	precise	Does not exist
	trusty	Released (2.14.1-0ubuntu3.29+esm4)
	upstream	Needs triage
	xenial	Released (2.20.1-0ubuntu2.23)

Severity score breakdown

Parameter	Value
Base score	5.5
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1862348

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›