Description: setuid program that exec's can coredump in dir not writable by caller; priv-esc possible
References:
 https://www.openwall.com/lists/oss-security/2021/10/20/2
 https://bugzilla.redhat.com/show_bug.cgi?id=2015046
 https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com
 https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com
 https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/
Notes:
 bwh> The PoC exploits logrotate's lax parsing of configuration files
 bwh> to inject commands via the coredump, but I think generally we
 bwh> should assume that bypassing write-protection in any way can
 bwh> lead to privilege escalation.
 bwh> sudo is an important part of the PoC and should disable core-
 bwh> dumps by default.
 bwh> It's less clear what should be done in the kernel; possibly
 bwh> some resource limits should be reset on exec of a setuid
 bwh> program - see
 bwh> https://lore.kernel.org/linux-api/87fso91n0v.fsf_-_@email.froward.int.ebiederm.org/
Bugs:
upstream: needed
6.1-upstream-stable: needed
5.10-upstream-stable: needed
4.19-upstream-stable: needed
4.9-upstream-stable: ignored "EOL"
sid: needed
6.1-bookworm-security: needed
5.10-bullseye-security: needed
4.19-buster-security: needed
4.9-stretch-security: ignored "EOL"