The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with world readable and writable permissions (0o666) due to a reset of the file mode creation mask (umask(0)) in the daemon/cgrulesengd.c:cgre_start_daemon() function. Upstream Patch: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/
Created libcgroup tracking bugs for this issue: Affects: fedora-all [bug 1611121]
Fedora is not affected as it disables the daemon, through the `--disable-daemon` option in the configure script, thus it does not contain the cgrulesengd binary.
In RHEL 7 default options in /etc/sysconfig/cgred, which are used when the daemon is started through systemd, use the syslog facility, thus the log file is not created by the daemon itself, making it not vulnerable to this flaw by default.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2047 https://access.redhat.com/errata/RHSA-2019:2047
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-14348