The Linux kernel.core_pattern support for core dump handlers using the
pipe syntax does argument splitting after template expansion.

At minimum this bug could cause truncated values for the executable
name. This also means that the argument parsing for core dump handlers
is slightly more complicated because they have to deal with the fact
that an attacker that can control the executable name via %E and %e
could pass additional arguments, including command-line options, to the
handler. Usually this is easy to deal with by merging the remaining
arguments after an options termination indicator but it is very
unlikely that core dump handler implementers are aware of the issue.

Theoretically hostnames with %h could also be split up but in practice
they do not appear to be allowed to contain spaces.

Steps to reproduce:

   $ cat foo 
   #!/bin/sh
   printf "%s~" "$@" >> /var/log/core
   echo >> /var/log/core

   $ chmod a+rx foo

   $ sudo sysctl kernel.core_pattern="|`pwd`/foo %E"
   kernel.core_pattern = |/home/pabs/foo %E

   $ cp /bin/sleep 'sleep with spaces'

   $ ./sleep\ with\ spaces 55555 &
   [1] 16041

   $ kill -SEGV %1
   [1]+  Segmentation fault      (core dumped) ./sleep\ with\ spaces 55555

Incorrect results:

   $ cat /var/log/core
   !home!pabs!sleep~with~spaces~

Correct results:

   $ cat /var/log/core
   !home!pabs!sleep with spaces~

This was originally reported by Jakub Wilk <jwilk@jwilk.net>:
<20190312145043.jxjoj66kqssptolr@jwilk.net>
https://bugs.debian.org/924398

-- 
bye,
pabs

https://bonedaddy.net/pabs3/