<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - systemd-coredump can run elfutils as root"
href="https://bugs.freedesktop.org/show_bug.cgi?id=87354">87354</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>systemd-coredump can run elfutils as root
</td>
</tr>
<tr>
<th>Product</th>
<td>systemd
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Assignee</th>
<td>systemd-bugs@lists.freedesktop.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>bugzilla@hadess.net
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>systemd-bugs@lists.freedesktop.org
</td>
</tr></table>
<p>
<div>
<pre>If a process running as root crashed, systemd-coredump would change the
effective uid/gid to that of the crashing program.
So a carefully crafted coredump could hit elfutils parsing bugs to run
arbitrary programs as the same user that crashed.
The solution would be to avoid running elfutils code as any privileged user.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>