A flaw was found in the way dumpable flag setting was handled when certain SUID binaries executed it's descendants. The prerequisite is a SUID binary that sets real uid equal to effective uid, and real gid equal to effective gid. Then the descendant will have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, it's core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root suid binary could use this flaw to place core dumps into root owned directories potentially resulting in escalation of privileges.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2015987]
I proposed a patch in upstream for this bug https://email@example.com/T/#t