Incorrect parsing of /proc/pid/status in Apport

Aleph Research Advisory





    • Apport
    • Ubuntu

Vulnerable Versions

    • Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5
    • Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16
    • Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23
    • Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30

Technical Details

Apport will drop his privileges according to the UID and GID values extracted from /proc/pid/status.

‘get_pid_info’ function will iterate through each line of the status file, if a line starts with “Uid:” or “Gid:” it takes the first argument in that line and puts it into real_uid and real_gid variables.

with open('status', opener=proc_pid_opener) as f:
    for line in f:
        if line.startswith('Uid:'):
            real_uid = int(line.split()[1])
        elif line.startswith('Gid:'):
            real_gid = int(line.split()[1])

Dropping privileges can be bypassed by crashing a process with a file name set to “a\rUid: 0\rGid: 0”.

When we will crash the process, we are able to “inject” UID and GID values to /proc/pid/status file (in the Name field), causing apport to never really drop privileges ( real_uid now is 0 and real_gid is also 0).


  • 02-Feb-21
    : Public disclosure.
  • 02-Feb-21
    : Patch available.
  • 21-Jan-21
    : CVE-2021-25682 assigned.
  • 19-Jan-21
    : Reported.



External References