It was discovered that the abrt-dbus D-Bus service contains several
directory traversal flaws related to the NewProblem, GetInfo and
SetElement methods. Local attackers could use these flaws to read and
write arbitrary files as the root user, or take ownership of arbitrary
files and directories.
This issue was discovered by Florian Weimer of Red Hat Product Security.
Created abrt tracking bugs for this issue:
Affects: fedora-all [bug 1214452]
The following upstream commits fix this cve:
Martin has found out that DeleteElement method is still vulnerable. This upstream commit adds additional verification of all D-Bus parameters:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:1083 https://rhn.redhat.com/errata/RHSA-2015-1083.html