The seunshare_mount function in sandbox/seunshare.c in seunshare in certain
Red Hat packages of policycoreutils 2.0.83 and earlier in Red Hat
Enterprise Linux (RHEL) 6 and earlier, and Fedora 14 and earlier, mounts a
new directory on top of /tmp without assigning root ownership and the
sticky bit to this new directory, which allows local users to replace or
delete arbitrary /tmp files, and consequently cause a denial of service or
possibly gain privileges, by running a setuid application that relies on
/tmp, as demonstrated by the ksu application.
More Information

Updated: 2019-01-14 21:14:26 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)