It was discovered that the default event handling scripts installed by abrt follow symbolic links, allowing local attackers with write access to an abrt problem directory to escalate their privileges, as demonstrated by a var_log_messages file which is a symbolic link to file in /etc/cron.hourly. Acknowledgement: This issue was discovered by Florian Weimer of Red Hat Product Security.
Created abrt tracking bugs for this issue: Affects: fedora-all [bug 1212865]
The commits are listed in bug #1212868 comment #4.
I am going to make to the code a bit more robust by preventing non-root users from triggering the default event scripts run by abrtd under root user.
These commits stop non-root users from triggering the default EVENT scripts: daemon: allow only root user to trigger the post-create https://github.com/abrt/abrt/commit/3287aa12eb205cff95cdd00d6d6c5c9a4f8f0eca daemon, dbus: allow only root to create CCpp, Koops, vmcore and xorg https://github.com/abrt/abrt/commit/7417505e1d93cc95ec648b74e3c801bc67aacb9f
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html