From: Mike Bradeen Date: Thu, 15 Jan 2026 19:43:22 +0000 (-0700) Subject: ast_coredumper: create gdbinit file with restrictive permissions X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de37314f85e8954c5a19c2fe9327adef56b06c48;p=thirdparty%2Fasterisk.git ast_coredumper: create gdbinit file with restrictive permissions Modify gdbinit to use the install command with explicit permissions (-m 600) when creating the .ast_coredumper.gdbinit file. This ensures the file is created with restricted permissions (readable/writable only by the owner) to avoid potential privilege escalation. Resolves: #GHSA-xpc6-x892-v83c --- diff --git a/contrib/scripts/ast_coredumper b/contrib/scripts/ast_coredumper index 2d8ea76726..98f79f00f1 100755 --- a/contrib/scripts/ast_coredumper +++ b/contrib/scripts/ast_coredumper @@ -115,6 +115,7 @@ if $RUNNING ; then if ${DRY_RUN} ; then echo "Would run: ${GDB} -p $MAIN_PID -q --batch --ex gcore $cf" else + install -m 0600 /dev/null "$cf" ${GDB} -p "$MAIN_PID" -q --batch --ex "gcore $cf" >/dev/null 2>&1 fi echo "$(S_COR "${DRY_RUN}" 'Simulated dump' 'Dump') is complete." @@ -243,7 +244,7 @@ fi gdbinit=${OUTPUTDIR}/.ast_coredumper.gdbinit trap 'rm $gdbinit' EXIT -sed '1,/^#@@@SCRIPTSTART@@@/ d' "$0" >"$gdbinit" +install -m 600 /dev/stdin "$gdbinit" < <(sed '1,/^#@@@SCRIPTSTART@@@/ d' "$0") # Now iterate over the coredumps and dump the debugging info for i in "${!COREDUMPS[@]}" ; do @@ -295,6 +296,7 @@ for i in "${!COREDUMPS[@]}" ; do of=${OUTPUTDIR}/${cfname}-${BASH_REMATCH[1]} of=${of//:/-} rm -f "$of" + install -m 0600 /dev/null "$of" msg " Creating $of" fi echo -e $"$line" >> "$of" @@ -313,6 +315,7 @@ for i in "${!COREDUMPS[@]}" ; do rm -rf "${dest}" 2>/dev/null || : astbindir=$(dirname "${astbin}") + install -m 0700 -d "${dest}" mkdir -p "${dest}/tmp" "${dest}/${moddir}" "${dest}/etc" \ "${dest}/${etcdir}" "${dest}/${libdir}" "${dest}/${astbindir}" @@ -337,6 +340,7 @@ for i in "${!COREDUMPS[@]}" ; do cp -a "${astbin}" "${dest}/${astbin}" rm -rf "${tf}" msg " Creating ${tf}" + install -m 0600 /dev/null "$tf" tar -chzf "${tf}" --transform="s/^[.]/${cfname}.output/" -C "${dest}" . sleep 3 rm -rf "${dest}" @@ -350,6 +354,7 @@ for i in "${!COREDUMPS[@]}" ; do rm -rf "${dest}" 2>/dev/null || : mkdir -p "${dest}" cp "${OUTPUTDIR}/${cfname}"*.txt "${dest}/" + install -m 0600 /dev/null "$tf" tar -chzf "${tf}" --transform="s/^[.]/${cfname}/" -C "${dest}" . rm -rf "${dest}" echo "Created $tf"