It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "20.04"
},
{
"last_affected": "20.04"
},
{
"introduced": "20.10"
},
{
"last_affected": "20.10"
},
{
"introduced": "21.04"
},
{
"last_affected": "21.04"
},
{
"introduced": "21.10"
},
{
"last_affected": "21.10"
}
],
"source": "CPE_STRING",
"vendor_product": "canonical:ubuntu_linux",
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*"
]
}
]
}