read_file() only checks the basename for symlinks, so, in the case of openjdk and xorg, the apport hook can still be exploited even without directory traversal:
openjdk:
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path): content = read_file(path)
cwd could be /home/attacker, /home/attacker/hs_err_pid could be a symlink to some other system directory, and pid can be an arbitrary filename. This would allow a root-owned file ending in .log to be read.
Code in xorg is similar, but being hardcoded to '/tmp/compiz_internal_state%s' means it will likely be prevented if kernel symlink restrictions are enabled.
read_file() only checks the basename for symlinks, so, in the case of openjdk and xorg, the apport hook can still be exploited even without directory traversal:
openjdk:
path = "%s/hs_ err_pid% s.log" % (cwd, pid) exists( path):
content = read_file(path)
# make sure if exists
if os.path.
cwd could be /home/attacker, /home/attacker/ hs_err_ pid could be a symlink to some other system directory, and pid can be an arbitrary filename. This would allow a root-owned file ending in .log to be read.
Code in xorg is similar, but being hardcoded to '/tmp/compiz_ internal_ state%s' means it will likely be prevented if kernel symlink restrictions are enabled.