Ubuntu Apport Insecure File Permissions Vulnerability Allowing Sensitive Data Exposure

A vulnerability exists in Canonical's Apport crash reporting tool, specifically in versions of Apport prior to 2.33.0. The issue arises because the process_crash() function creates crash report files with incorrect group ownership, granting group read permissions by default. This flaw can lead to unauthorized access to sensitive information, such as passwords and encryption keys, contained within the crash reports. The vulnerability is particularly concerning on Ubuntu server installations, which do not include the 'whoopsie' package by default, leaving crash files accessible to other users in the same primary group.

Impact

The vulnerability allows users in the same primary group to read crash reports of other users, potentially leading to the disclosure of sensitive information such as passwords and encryption keys.

Reproduction

The vulnerability can be reproduced by creating two users with their primary group set to 'staff'. When a process executed by one user crashes, the Apport tool generates a crash report file in '/var/crash' with group read permissions. Another user in the same group can then access this file, using the 'apport-unpack' command to extract the contents, including sensitive data from the core dump.

Remediation

Users can update to Apport version 2.33.0 or later, and remove group read permissions from existing crash reports. Instructions for this can be found in the Ubuntu security advisory for CVE-2025-5467.