<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - systemd-coredump can run elfutils as root" href="https://bugs.freedesktop.org/show_bug.cgi?id=87354">87354</a> </td> </tr> <tr> <th>Summary</th> <td>systemd-coredump can run elfutils as root </td> </tr> <tr> <th>Product</th> <td>systemd </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>systemd-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>bugzilla@hadess.net </td> </tr> <tr> <th>QA Contact</th> <td>systemd-bugs@lists.freedesktop.org </td> </tr></table> <p> <div> <pre>If a process running as root crashed, systemd-coredump would change the effective uid/gid to that of the crashing program. So a carefully crafted coredump could hit elfutils parsing bugs to run arbitrary programs as the same user that crashed. The solution would be to avoid running elfutils code as any privileged user.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>