ccpp: save abrt core files only to new files

Prior this commit abrt-hook-ccpp saved a core file generated by a process running a program whose name starts with "abrt" in DUMP_LOCATION/$(basename program)-coredump. If the file was a symlink, the hook followed and wrote core file to the symlink's target. Addresses CVE-2015-5287 Signed-off-by: Jakub Filak <jfilak@redhat.com>
abrt · Nov 23, 2015 · 3c1b60c · 3c1b60c
1 parent dec3089
commit 3c1b60c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
@@ -718,7 +718,8 @@ int main(int argc, char** argv)
         if (snprintf(path, sizeof(path), "%s/%s-coredump", g_settings_dump_location, last_slash) >= sizeof(path))
             error_msg_and_die("Error saving '%s': truncated long file path", path);
 
-        int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+        unlink(path);
+        int abrt_core_fd = xopen3(path, O_WRONLY | O_CREAT | O_EXCL, 0600);
         off_t core_size = copyfd_eof(STDIN_FILENO, abrt_core_fd, COPYFD_SPARSE);
         if (core_size < 0 || fsync(abrt_core_fd) != 0)
         {