CVE-2021-3864

setuid program that exec's can coredump in dir not writable by caller; priv-esc possible

References

https://www.openwall.com/lists/oss-security/2021/10/20/2
https://bugzilla.redhat.com/show_bug.cgi?id=2015046
https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com
https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com
https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/

Notes

 bwh> The PoC exploits logrotate's lax parsing of configuration files
 bwh> to inject commands via the coredump, but I think generally we
 bwh> should assume that bypassing write-protection in any way can
 bwh> lead to privilege escalation.
 bwh> sudo is an important part of the PoC and should disable core-
 bwh> dumps by default.
 bwh> It's less clear what should be done in the kernel; possibly
 bwh> some resource limits should be reset on exec of a setuid
 bwh> program - see
 bwh> https://lore.kernel.org/linux-api/87fso91n0v.fsf_-_@email.froward.int.ebiederm.org/

Bugs

Status

Branch	Status
4.19-buster-security	needed
4.19-upstream-stable	needed
5.10-bullseye-security	needed
5.10-upstream-stable	needed
6.1-bookworm-security	needed
6.1-upstream-stable	needed
6.6-upstream-stable	unknown
6.8-upstream-stable	unknown
sid	needed
upstream	needed