On 29/05/2025 19:17, Qualys Security Advisory wrote:
Qualys Security Advisory
Local information disclosure in apport and systemd-coredump
(CVE-2025-5054 and CVE-2025-4598)
<snip>
The fix for these vulnerabilities is twofold:
- always take account of the kernel's per-process "dumpable" flag (the
%d specifier), in every code path, to decide whether a non-root user
should be given read access to a core dump or not;
- use the new %F specifier in /proc/sys/kernel/core_pattern (a pidfd to
the crashed process), which was implemented during this coordinated
vulnerability disclosure, to detect whether the crashed process was
replaced or not with another process, before its analysis; for more
information:
https://lore.kernel.org/all/20250414-work-coredump-v2-0-685bf231f...@kernel.org/
Christian Brauner has backported fixes for this issue to all stable
kernel series. Quoting his mastodon post:
> I have done custom backports of the patches to install a pidfd into
the legacy usermodehelper coredump handler for v6.12, v6.6, v6.1, v5.14,
v5.10, and v5.4.
LKML post:
https://lore.kernel.org/linux-fsdevel/20250602-eilte-experiment-4334f67dc5d8@brauner/T/#m03e7e205c913101dc452c391bf283661049ca494
