I backported this patch to 2.6.22.y tree.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206

    ---

    original patch:

    c46f739dd39db3b07ab5deb4e3ec81e1c04a91af in linux-2.6.git

    Ingo Molnar [Wed, 28 Nov 2007 12:59:18 +0000 (13:59 +0100)]
     fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043

     only allow coredumping to the same uid that the coredumping
     task runs under.

    Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>


---
 fs/exec.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 3da429d..224e973 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1561,6 +1561,12 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 	   but keep the previous behaviour for now. */
 	if (!ispipe && !S_ISREG(inode->i_mode))
 		goto close_fail;
+	/*
+	 * Dont allow local users get cute and trick others to coredump
+	 * into their pre-created files:
+	 */
+	if (inode->i_uid != current->fsuid)
+		goto close_fail;
 	if (!file->f_op)
 		goto close_fail;
 	if (!file->f_op->write)