Package: corekeeper
Version: 1.6
Tags: security
(I reported this privately in 2016...)
/usr/lib/corekeeper/dump does this:
# Check how many arguments the kernel sent us.
if [ $# -eq 2 ] ; then
# Awww, old kernel that does not support %d
# Cannot set the core file owner safely, use root
# See v3.6-6800-g12a2b4b in linux.git for more info
uid="$1"
core="$2"
owner="0"
elif [ $# -eq 3 ] ; then
# Yay! A kernel that does support %d
uid="$2"
core="$3"
owner="$2"
# Set the core file owner safely
if [ $1 -eq 2 ] ; then
owner="0"
fi
else
# Something is majorly broken.
echo "This script should be run with three arguments and a core file on stdin"
1>&2
exit 1
fi
The majorly broken thing is, unfortunately, the Linux kernel. It does
argument splitting only _after_ it expanded the macros. If the
executable name contains spaces, you will get more than 2 or 3
arguments. On kernels that don't support %d, this allows an attacker to
control the "owner" variable.
--
Jakub Wilk
