Package: corekeeper
Version: 1.6
Severity: critical
Tags: security
(I reported this privately in 2016...)
/usr/lib/corekeeper/dump does this:
mkdir -p "/var/crash/$owner"
This is pretty bad. /var/crash is word-writable, so anybody could have
created a subdirectory there. "mkdir -p" will succeed if
/var/crash/$owner/ exists, even when it's owned by another user.
An attacker could exploit this to read other users' core files.
Additionally, on systems that have protected_symlinks or
protected_symlinks disabled, this could be exploited to take ownership
of arbitrary files, or to overwrite arbitrary files.
I don't understand why /var/crash is world-writable; but if it has to be
for some reason, then the crash handler must verify that
/var/crash/$owner is in fact a directory owned by the right user.
Verifying that the directory has the right permissions (700) is probably
also a good idea.
--
Jakub Wilk