Description: setuid program that exec's can coredump in dir not writable by caller; priv-esc possible References: Notes: bwh> The PoC exploits logrotate's lax parsing of configuration files bwh> to inject commands via the coredump, but I think generally we bwh> should assume that bypassing write-protection in any way can bwh> lead to privilege escalation. bwh> sudo is an important part of the PoC and should disable core- bwh> dumps by default. bwh> It's less clear what should be done in the kernel; possibly bwh> some resource limits should be reset on exec of a setuid bwh> program - see bwh> Bugs: upstream: needed 5.10-upstream-stable: needed 4.19-upstream-stable: needed 4.9-upstream-stable: needed sid: needed 5.10-bullseye-security: needed 4.19-buster-security: needed 4.9-stretch-security: needed