Red Hat Bugzilla – Bug 396861
CVE-2007-6206 Issue with core dump owner
Last modified: 2010-12-22 18:33:24 EST
Description of problem:
In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and
root runs a process that drops core in the same location, the original core
file owned by the non root user is replaced with root's core dump, except the
original owner maintains ownership of the core.
This one is public via:
This one has not CVE number assigned yet, will attach it, as soon as this one
Created attachment 267571 [details]
Simple crashing file producing core dump files
Attaching simple crashing C file producing core dump files.
Escalating severity of this issue, as I got some additional information.
" A security flaw was found in the mechanism the Linux kernel uses to handle
the core dump files creation. If a core file owned by a local,
authenticated, non-root user existed and root ran process that wrote a core
file to the same directory, the original non-root's core file would be
replaced by root's core file, which could make sensitive information
available to unauthorized users. (CVE-2007-6206, Moderate). "
Note that by default on Red Hat Enterprise Linux, core files are created with
filenames containing the pid. This would make it harder to exploit this issue
as not only do you need to get a root-process to dump core into a directory in
which you have write access, but you also need to know the pid of the thing
that's going to dump core (or create a lot of files).
This was addressed via:
Red Hat Enterprise Linux version 4 (RHSA-2008:0055)
Red Hat Enterprise Linux version 5 (RHSA-2008:0089)
Red Hat Enterprise Linux version 3 (RHSA-2008:0211)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)