[Git][security-tracker-team/security-tracker][master] CVE-2025-4598 fix of incomplete fix of CVE-2022-4415

Mon Jun 16 20:45:59 BST 2025


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4f804fd6 by Bastien Roucariès at 2025-06-16T21:44:17+02:00
CVE-2025-4598 fix of incomplete fix of CVE-2022-4415

According to full description of CVE-2025-4598
> Similarly to apport, systemd-coredump writes all core files into a
> hard-coded directory, /var/lib/systemd/coredump/. Before December 2022,
> systemd-coredump allowed users to read all of their core files (through
> file ACLs), including the core files of SUID or SGID programs, which of
> course allowed local attackers to read the contents of /etc/shadow by
> simply crashing su for example; this vulnerability was CVE-2022-4415,
>
> discovered and published by Matthias Gerstner:
>   https://www.openwall.com/lists/oss-security/2022/12/21/3
>
> This old vulnerability was patched by introducing a new function,
> grant_user_access(), which decides whether a user should be allowed to
> read a core file or not, by analyzing the /proc/pid/auxv of the crashed
> process: if its AT_UID and AT_EUID match, and if its AT_GID and AT_EGID
> match, and if its AT_SECURE flag is 0, then read access is allowed;
> otherwise (if the crashed process is SUID or SGID), read access is
> denied (only root can read the core file).
> [...]
> Unfortunately, we soon realized that systemd-coredump does not provide
> any protection at all against the kill-and-replace race condition that
> we exploited in apport. In other words, an attacker can simply crash a
> SUID process such as unix_chkpwd, SIGKILL and replace it with a non-SUID
> process (before its /proc/pid/auxv is analyzed by systemd-coredump), and
> therefore gain read access to the core file of the crashed SUID process,
> and hence to the contents of /etc/shadow.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4544,6 +4544,7 @@ CVE-2025-37993 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2025-4598 (A vulnerability was found in systemd-coredump. This flaw allows an att ...)
 	{DSA-5931-1}
 	- systemd 257.6-1 (bug #1106785)
+	[bullseye] - systemd <ignored> (fix of incomplete fix of ignored CVE-2022-4415)
 	NOTE: https://www.qualys.com/2025/05/29/apport-coredump/apport-coredump.txt
 	NOTE: For a comprehensive fix a kernel change is required (to hand a pidfd to the usermode
 	NOTE: coredump helper):
@@ -4567,6 +4568,7 @@ CVE-2025-4598 (A vulnerability was found in systemd-coredump. This flaw allows a
 	NOTE: Fixed by: https://github.com/systemd/systemd-stable/commit/7fc7aa5a4d28d7768dfd1eb85be385c3ea949168 (v254.26)
 	NOTE: Fixed by: https://github.com/systemd/systemd-stable/commit/19b228662e0fcc6596c0395a0af8486a4b3f1627 (v253.33)
 	NOTE: Fixed by: https://github.com/systemd/systemd-stable/commit/2eb46dce078334805c547cbcf5e6462cf9d2f9f0 (v252.38)
+	NOTE: according to description fix of incomplete fix of CVE-2022-4415
 CVE-2025-5054 (Race condition in Canonical apport up to and including 2.32.0 allows a ...)
 	NOT-FOR-US: Apport
 CVE-2025-27464



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f804fd622160c64f5934fc9a3d1804c84514233

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f804fd622160c64f5934fc9a3d1804c84514233
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250616/3f57114b/attachment.htm>
