Bug 396861 (CVE-2007-6206) - CVE-2007-6206 Issue with core dump owner
Summary: CVE-2007-6206 Issue with core dump owner
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6206
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 396941 396951 396961 396971 396981 396991 397001
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-23 15:06 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-22 23:33:24 UTC
Embargoed:


Attachments (Terms of Use)
Simple crashing file producing core dump files (61 bytes, text/x-csrc)
2007-11-23 15:17 UTC, Jan Lieskovsky
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0055 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-01-31 18:35:49 UTC
Red Hat Product Errata RHSA-2008:0089 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-01-23 15:07:09 UTC
Red Hat Product Errata RHSA-2008:0211 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-07 07:03:52 UTC
Red Hat Product Errata RHSA-2008:0787 0 normal SHIPPED_LIVE Important: kernel security update 2009-01-05 07:08:54 UTC
Red Hat Product Errata RHSA-2009:0001 0 normal SHIPPED_LIVE Important: kernel security update 2009-01-08 15:47:52 UTC

Description Jan Lieskovsky 2007-11-23 15:06:43 UTC
Description of problem:

In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and 
root runs a process that drops core in the same location, the original core 
file owned by the non root user is replaced with root's core dump, except the 
original owner maintains ownership of the core.

This one is public via: 

http://bugzilla.kernel.org/show_bug.cgi?id=3043

This one has not CVE number assigned yet, will attach it, as soon as this one
gets one.

Comment 2 Jan Lieskovsky 2007-11-23 15:17:25 UTC
Created attachment 267571 [details]
Simple crashing file producing core dump files

Attaching simple crashing C file producing core dump files.

Comment 4 Jan Lieskovsky 2007-12-04 15:00:20 UTC
Escalating severity of this issue, as I got some additional information. 

Comment 5 Mark J. Cox 2008-01-21 10:07:03 UTC
" A security flaw was found in the mechanism the Linux kernel uses to handle
the core dump files creation. If a core file owned by a local,
authenticated, non-root user existed and root ran process that wrote a core
file to the same directory, the original non-root's core file would be
replaced by root's core file, which could make sensitive information
available to unauthorized users. (CVE-2007-6206, Moderate). "

Comment 7 Mark J. Cox 2008-01-21 13:42:14 UTC
Note that by default on Red Hat Enterprise Linux, core files are created with
filenames containing the pid.  This would make it harder to exploit this issue
as not only do you need to get a root-process to dump core into a directory in
which you have write access, but you also need to know the pid of the thing
that's going to dump core (or create a lot of files).  

Comment 9 Vincent Danen 2010-12-22 23:33:24 UTC
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0055)
Red Hat Enterprise Linux version 5 (RHSA-2008:0089)
Red Hat Enterprise Linux version 3 (RHSA-2008:0211)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)


Note You need to log in before you can comment on or make changes to this bug.