CVE CyberSecurity Database News

CVE-2025-5467 - How Apport Crash Reports Can Leak Sensitive Data on Ubuntu Systems

Poster -

In early 2025, a new vulnerability was found in Apport, the crash reporting tool shipped with Ubuntu and other Canonical-based Linux distributions. Tracked as CVE-2025-5467, this bug can accidentally make sensitive crash files accessible to the wrong users or groups. Below, we’ll break down what the issue is, how it happens, and what you can do to stay safe.

What is Apport?

Apport is Ubuntu’s crash reporting system. When an application breaks, Apport steps in to gather details like process memory and environment, then stores them in a crash file. These files can contain secrets, passwords, encryption keys, or chunks of memory from the crashed app.

The Bug: Faulty File Ownership

Normally, crash files written to /var/crash/ should be protected—they’re supposed to be readable only by root, and possibly by the user whose process crashed. But in Apport’s process_crash() function (found in its data/apport script), a bug can mess up the set group id (GID) when the crash file is created. As a result, crash files get the wrong ownership, accidentally exposing private data to more people than intended.

Exploit Details

An attacker with limited access to a multi-user system might watch /var/crash/ for new files. If one appears with an incorrect group or loose permissions, they can immediately cat or copy it—possibly scooping up passwords, private keys, or details about running processes.

A user or service crashes on the system.

2. Apport writes a *.crash file in /var/crash/.
3. Due to the bug, the file has group adm or even users instead of root or the strict group expected.

Code Snippet: The Vulnerable Piece

This simplified example shows the steps Apport should follow to set file ownership, but due to a bug, it sometimes gets this wrong:

import os

def process_crash(crashfile_path, expected_uid, expected_gid):
    # Open the crash file for writing
    with open(crashfile_path, 'w') as f:
        f.write("CRASH DATA\n")

    # Set file ownership, but a bug here can use a wrong group
    os.chown(crashfile_path, expected_uid, )  # Should be expected_gid!

The kicker: If expected_gid isn’t properly pulled in, the file gets gid (root) or, worse, stays as the default group for the user running Apport, which might be way too permissive.

References

- Canonical Launchpad Bug: CVE-2025-5467
- CVE Details Page for CVE-2025-5467
- Ubuntu Security Notices

Mitigation and Fix

Canonical fixed this by correcting how Apport calls os.chown(), making sure it always uses the intended group.

Patch: Update your OS (sudo apt update && sudo apt upgrade) to get the fixed Apport package.

- Audit: Check /var/crash/ for files not owned root:root and lock them down.

Conclusion

While this bug doesn’t let outsiders break into your system, it can help insiders or curious users access data they’re not meant to see. If you run Ubuntu or similar distributions, update your system right away and double check crash file access, especially on servers or shared desktops.

Stay tuned to Ubuntu security notices for more details about this and other issues. And remember: even your crash reports can hold secrets!

Timeline

Published on: 12/10/2025 18:16:19 UTC
Last modified on: 12/12/2025 15:18:42 UTC