It was discovered that the helper program, abrt-action-install-debuginfo-to-abrt-cache, does not properly filter the process environment (umask and truncated command line options) before invoking abrt-action-install-debuginfo. A local user could exploit this vulnerability to obtain root privileges. Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Created abrt tracking bugs for this issue: Affects: fedora-all [bug 1216975]
The fix should set the umask to 022 and apply a whitelist to the command line options. Changing the current directory to /var/spool/abrt would be preferable as well, but this is difficult because some ways of running abrt-action-install-debuginfo open a file build_ids in the current directory (which could result in an abrt -> local user information disclosure). Perhaps the wrapper can open the file, using the calling user's UID/GID, and pass it on standard input. I also looked at the way in which yum creates the /var/tmp/yum-abrt-* directory, and it appears to be okay.
These upstream commits fix this cve: https://github.com/abrt/abrt/commit/9943a77bca37a0829ccd3784d1dfab37f8c24e7b https://github.com/abrt/abrt/commit/9a4100678fea4d60ec93d35f4c5de2e9ad054f3a
Starting with Red Hat Enterprise Linux 6.5, due to a regression introduced by the fix for bug 759443 (“ABRT won't install debuginfos from rhn repository”), abrt-action-install-debuginfo does not seem to do much when abrt-action-install-debuginfo-to-abrt-cache is invoked by a non-root user, so the issue is mitigated in later versions of Red Hat Enterprise Linux 6.
I would like to fix abrt-action-install-debuginfo in RHEL-6 to make it working for non-root users too again (bug #1216962). Only the users who use only rhn repositories suffers from bug #756443 (“ABRT won't install debuginfos from rhn repository”), but other users who might have configured custom repositories (or CentOS users) should be able to use ABRT to download debug info packages.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1210 https://rhn.redhat.com/errata/RHSA-2015-1210.html