A vulnerability allowing to elevate privileges from the abrt user to root was reported.
If a program starting with the name "abrt" crashes, abrt-hook-ccpp will write the coredump to /var/tmp/abrt/$filename-coredump or /var/spool/abrt/$filename-coredump. From abrt-hook-ccpp.c:
if (last_slash && strncmp(++last_slash, "abrt", 4) == 0)
/* If abrtd/abrt-foo crashes, we don't want to create a _directory_,
* since that can make new copy of abrtd to process it,
* and maybe crash again...
* Unlike dirs, mere files are ignored by abrtd.
if (snprintf(path, sizeof(path), "%s/%s-coredump", g_settings_dump_location, last_slash) >= sizeof(path))
error_msg_and_die("Error saving '%s': truncated long file path", path);
int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
The call to xopen3() does not include the flag O_NOFOLLOW and is therefore vulnerable to a symlink attack.
This vulnerability is not exploitable on RHEL installations with default configuration. It can be exploitable if the system is configured to use non-RHN yum repositories. This is because yum is normally not usable by non-root users if the only configured repositories are RHN.
Note: This security flaw has been split from bug #1262252.
Red Hat would like to thank Philip Pettersson of Samsung for reporting this issue.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2505 https://rhn.redhat.com/errata/RHSA-2015-2505.html