Incorrect parsing of /proc/pid/stat in Apport

Low

• Apport
• Ubuntu

Vulnerable Versions

• Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5
• Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16
• Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23
• Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30

Technical Details

Apport checks if the process was replaced after the crash by comparing between two variables, apport_start and process_start.

process_start gets the start time of the process by parsing the content of /proc/pid/stat file.

The start time is extracted from the 22 column of the /proc/pid/stat file.

def get_starttime(contents):
'''Extracts the starttime from the contents of a stat file'''

# 22nd field in a stat file is the time the process started after
# system boot in clock ticks.
return int(contents.split()[21])


We are able to bypass this check by recycle the pid with a process with “ “(space) in its filename, causing process_start to have the wrong value (which is smaller than apport_start).

Timeline

• 02-Feb-21
: Public disclosure.
• 02-Feb-21
: Patch available.
• 21-Jan-21
: CVE-2021-25683 assigned.
• 19-Jan-21
: Reported.