Description of problem: In 2.6.x and 2.4.x kernels, if a core file owned by a non root user exists and root runs a process that drops core in the same location, the original core file owned by the non root user is replaced with root's core dump, except the original owner maintains ownership of the core. This one is public via: http://bugzilla.kernel.org/show_bug.cgi?id=3043 This one has not CVE number assigned yet, will attach it, as soon as this one gets one.
Created attachment 267571 [details] Simple crashing file producing core dump files Attaching simple crashing C file producing core dump files.
Escalating severity of this issue, as I got some additional information.
" A security flaw was found in the mechanism the Linux kernel uses to handle the core dump files creation. If a core file owned by a local, authenticated, non-root user existed and root ran process that wrote a core file to the same directory, the original non-root's core file would be replaced by root's core file, which could make sensitive information available to unauthorized users. (CVE-2007-6206, Moderate). "
Note that by default on Red Hat Enterprise Linux, core files are created with filenames containing the pid. This would make it harder to exploit this issue as not only do you need to get a root-process to dump core into a directory in which you have write access, but you also need to know the pid of the thing that's going to dump core (or create a lot of files).
This was addressed via: Red Hat Enterprise Linux version 4 (RHSA-2008:0055) Red Hat Enterprise Linux version 5 (RHSA-2008:0089) Red Hat Enterprise Linux version 3 (RHSA-2008:0211) Red Hat Linux Advanced Workstation 2.1 (RHSA-2008:0787) Red Hat Enterprise Linux version 2.1 (RHSA-2009:0001)