CVE-2021-3864
setuid program that exec's can coredump in dir not writable by caller; priv-esc possible
References
Notes
bwh> The PoC exploits logrotate's lax parsing of configuration files
bwh> to inject commands via the coredump, but I think generally we
bwh> should assume that bypassing write-protection in any way can
bwh> lead to privilege escalation.
bwh> sudo is an important part of the PoC and should disable core-
bwh> dumps by default.
bwh> It's less clear what should be done in the kernel; possibly
bwh> some resource limits should be reset on exec of a setuid
bwh> program - see
bwh> https://lore.kernel.org/linux-api/87fso91n0v.fsf_-_@email.froward.int.ebiederm.org/
Bugs
Status
| Branch |
Status |
| upstream |
needed
|
| 6.18-upstream-stable |
|
| 6.17-upstream-stable |
|
| 6.12-upstream-stable |
|
| 6.6-upstream-stable |
|
| 6.1-upstream-stable |
needed
|
| 5.10-upstream-stable |
needed
|
| 4.9-upstream-stable |
ignored "EOL"
|
| sid |
needed
|
| 6.12-trixie-security |
needed
|
| 6.1-bookworm-security |
needed
|
| 5.10-bullseye-security |
needed
|
| 4.9-stretch-security |
ignored "EOL"
|
