apport和systemd-coredump中的本地信息泄露漏洞
Qualys披露apport和systemd-coredump中的本地信息泄露漏洞(CVE-2025-5054和CVE-2025-4598),修复包括考虑kernel的dumpable标志和使用新%F指定符检测进程替换。Christian Brauner已将修复回溯至多个稳定内核版本(v6.12、v6.6等)。 2025-6-2 15:37:0 Author: seclists.org(查看原文) 阅读量:14 收藏
oss-sec logo

oss-sec mailing list archives

From: Jelle van der Waa <jelle () vdwaa nl>
Date: Mon, 2 Jun 2025 14:33:30 +0200
On 29/05/2025 19:17, Qualys Security Advisory wrote:


Qualys Security Advisory

Local information disclosure in apport and systemd-coredump
(CVE-2025-5054 and CVE-2025-4598)

<snip>


The fix for these vulnerabilities is twofold:

- always take account of the kernel's per-process "dumpable" flag (the
   %d specifier), in every code path, to decide whether a non-root user
   should be given read access to a core dump or not;

- use the new %F specifier in /proc/sys/kernel/core_pattern (a pidfd to
   the crashed process), which was implemented during this coordinated
   vulnerability disclosure, to detect whether the crashed process was
   replaced or not with another process, before its analysis; for more
   information:

   https://lore.kernel.org/all/20250414-work-coredump-v2-0-685bf231f828 () kernel org/
Christian Brauner has backported fixes for this issue to all stable kernel series. Quoting his mastodon post:
> I have done custom backports of the patches to install a pidfd into the legacy usermodehelper coredump handler for v6.12, v6.6, v6.1, v5.14, v5.10, and v5.4. 

LKML post:

https://lore.kernel.org/linux-fsdevel/20250602-eilte-experiment-4334f67dc5d8@brauner/T/#m03e7e205c913101dc452c391bf283661049ca494

Current thread:


文章来源: https://seclists.org/oss-sec/2025/q2/192
如有侵权请联系:admin#unsafe.sh