Comment 0 for bug 1452239

Marc Deslauriers (mdeslaur) wrote :

Sander Bos discovered that Apport enabled a user to perform a root escalation since it now configures fs.suid_dumpable=2.

Here's a brief description of the issue:
1- A regular user can trigger a coredump with /proc/$PID/stat as root:root simply by doing chmod u-r
2- The root-owned coredump will them be written in the CWD, which in the PoC is /etc/logrotate.d
3- logrotate will gladly skip parts of the coredump it doesn't understand and will successfully run the parts it does

I've requested a CRD of 2015-05-12 for the publication of this issue.

I have assigned CVE-2015-1324 to this issue.

We can either:

1- Disable fs.suid_dumpable=2
2- Stop creating core dump files when they are to be created as root
3- Create root-owned core dump files in a well-known location