Comment 11 for bug 1933832

read_file() only checks the basename for symlinks, so, in the case of openjdk and xorg, the apport hook can still be exploited even without directory traversal:

openjdk:

            path = "%s/hs_err_pid%s.log" % (cwd, pid)
            # make sure if exists
            if os.path.exists(path):
                content = read_file(path)

cwd could be /home/attacker, /home/attacker/hs_err_pid could be a symlink to some other system directory, and pid can be an arbitrary filename. This would allow a root-owned file ending in .log to be read.

Code in xorg is similar, but being hardcoded to '/tmp/compiz_internal_state%s' means it will likely be prevented if kernel symlink restrictions are enabled.