Bug 396861 - (CVE-2007-6206) CVE-2007-6206 Issue with core dump owner
CVE-2007-6206 Issue with core dump owner
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20040710,public=20040710,sou...
: Security
Depends On: 396941 396951 396961 396971 396981 396991 397001
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-23 10:06 EST by Jan Lieskovsky
Modified: 2010-12-22 18:33 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-22 18:33:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Simple crashing file producing core dump files (61 bytes, text/x-csrc)
2007-11-23 10:17 EST, Jan Lieskovsky
no flags Details

  None (edit)
Description Jan Lieskovsky 2007-11-23 10:06:43 EST
Description of problem:

In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and 
root runs a process that drops core in the same location, the original core 
file owned by the non root user is replaced with root's core dump, except the 
original owner maintains ownership of the core.

This one is public via: 

http://bugzilla.kernel.org/show_bug.cgi?id=3043

This one has not CVE number assigned yet, will attach it, as soon as this one
gets one.
Comment 2 Jan Lieskovsky 2007-11-23 10:17:25 EST
Created attachment 267571 [details]
Simple crashing file producing core dump files

Attaching simple crashing C file producing core dump files.
Comment 4 Jan Lieskovsky 2007-12-04 10:00:20 EST
Escalating severity of this issue, as I got some additional information. 
Comment 5 Mark J. Cox (Product Security) 2008-01-21 05:07:03 EST
" A security flaw was found in the mechanism the Linux kernel uses to handle
the core dump files creation. If a core file owned by a local,
authenticated, non-root user existed and root ran process that wrote a core
file to the same directory, the original non-root's core file would be
replaced by root's core file, which could make sensitive information
available to unauthorized users. (CVE-2007-6206, Moderate). "
Comment 7 Mark J. Cox (Product Security) 2008-01-21 08:42:14 EST
Note that by default on Red Hat Enterprise Linux, core files are created with
filenames containing the pid.  This would make it harder to exploit this issue
as not only do you need to get a root-process to dump core into a directory in
which you have write access, but you also need to know the pid of the thing
that's going to dump core (or create a lot of files).  
Comment 9 Vincent Danen 2010-12-22 18:33:24 EST
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0055)
Red Hat Enterprise Linux version 5 (RHSA-2008:0089)
Red Hat Enterprise Linux version 3 (RHSA-2008:0211)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)

Note You need to log in before you can comment on or make changes to this bug.