The Qualys Threat Research Unit (TRU) discovered that systemd-coredump is prone to a kill-and-replace race condition which may allow a local attacker to gain sensitive information from crashed SUID processes. Additionally systemd-coredump does not specify %d (the kernel's per- process "dumpable" flag) in /proc/sys/kernel/core_pattern allowing a local attacker to crash root daemons that fork() and setuid() to the attacker's uid and consequently gain read access to the resulting core dumps and therefore to sensitive information from memory of the root daemons.
Details can be found in the Qualys advisory at https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt
https://security-tracker.debian.org/tracker/DSA-5931-1
Continue reading...
Details can be found in the Qualys advisory at https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt
https://security-tracker.debian.org/tracker/DSA-5931-1
Continue reading...
