Incorrect parsing of /proc/pid/stat in Apport

Aleph Research Advisory





    • Apport
    • Ubuntu

Vulnerable Versions

    • Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5
    • Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16
    • Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23
    • Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30

Technical Details

Apport checks if the process was replaced after the crash by comparing between two variables, apport_start and process_start.

process_start gets the start time of the process by parsing the content of /proc/pid/stat file.

The start time is extracted from the 22 column of the /proc/pid/stat file.

def get_starttime(contents):
    '''Extracts the starttime from the contents of a stat file'''

    # 22nd field in a stat file is the time the process started after
    # system boot in clock ticks.
    return int(contents.split()[21])

We are able to bypass this check by recycle the pid with a process with “ “(space) in its filename, causing process_start to have the wrong value (which is smaller than apport_start).


  • 02-Feb-21
    : Public disclosure.
  • 02-Feb-21
    : Patch available.
  • 21-Jan-21
    : CVE-2021-25683 assigned.
  • 19-Jan-21
    : Reported.



External References