A vulnerability allowing to elevate privileges from the abrt user to root was reported. If a program starting with the name "abrt" crashes, abrt-hook-ccpp will write the coredump to /var/tmp/abrt/$filename-coredump or /var/spool/abrt/$filename-coredump. From abrt-hook-ccpp.c: if (last_slash && strncmp(++last_slash, "abrt", 4) == 0) { /* If abrtd/abrt-foo crashes, we don't want to create a _directory_, * since that can make new copy of abrtd to process it, * and maybe crash again... * Unlike dirs, mere files are ignored by abrtd. */ if (snprintf(path, sizeof(path), "%s/%s-coredump", g_settings_dump_location, last_slash) >= sizeof(path)) error_msg_and_die("Error saving '%s': truncated long file path", path); int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_TRUNC, 0600); The call to xopen3() does not include the flag O_NOFOLLOW and is therefore vulnerable to a symlink attack. This vulnerability is not exploitable on RHEL installations with default configuration. It can be exploitable if the system is configured to use non-RHN yum repositories. This is because yum is normally not usable by non-root users if the only configured repositories are RHN. Note: This security flaw has been split from bug #1262252.
Acknowledgements: Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2505 https://rhn.redhat.com/errata/RHSA-2015-2505.html