1866498 – (CVE-2020-14352) CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal

Bug 1866498 (CVE-2020-14352) - CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to directory traversal

Summary: CVE-2020-14352 librepo: missing path validation in repomd.xml may lead to dir...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-14352
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1866500 1866501 1866502 1866503 1866504 1866505 1868639
Blocks:	1864106
TreeView+	depends on / blocked

Reported:	2020-08-05 18:04 UTC by Mauro Matteo Cascella
Modified:	2021-02-16 19:32 UTC (History)
CC List:	13 users (show)
Fixed In Version:	librepo 1.12.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in librepo. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
Clone Of:
Environment:
Last Closed:	2020-09-08 13:19:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3837	None	None	None	2020-09-24 12:19:09 UTC
Red Hat Product Errata	RHSA-2020:3658	None	None	None	2020-09-08 09:41:21 UTC
Red Hat Product Errata	RHSA-2020:3749	None	None	None	2020-09-15 10:21:30 UTC
Red Hat Product Errata	RHSA-2020:3756	None	None	None	2020-09-15 16:30:44 UTC
Red Hat Product Errata	RHSA-2020:5012	None	None	None	2020-11-10 13:00:47 UTC

Description Mauro Matteo Cascella 2020-08-05 18:04:02 UTC

Librepo fails to sanitize paths in the 'repomd.xml' configuration file. Malformed or malicious repository metadata could allow a remote attacker to copy files outside of the destination directory via path traversal. Considering that DNF runs as root, this flaw could potentially result in system compromise via arbitrary file overwriting of critical system files.

Comment 4 Daniel Mach 2020-08-06 14:28:59 UTC

Could you provide more details about the vulnerability that would help us to reproduce and narrow down the problem?
Are there any logs or reports we should be aware of?
Is the person who discovered this problem able to share more details incl. pointers to the suspicious code?
Is there a reproducer?

Comment 5 Mauro Matteo Cascella 2020-08-06 15:17:24 UTC

The flaw lies in prepare_repo_download_std_target() and prepare_repo_download_zck_target() in yum.c:
  -> https://github.com/rpm-software-management/librepo/blob/master/librepo/yum.c#L673
  -> https://github.com/rpm-software-management/librepo/blob/master/librepo/yum.c#L706

The code concatenates 'handle->destdir' and 'record->location_href' without properly validating the latter, which means a malformed location such as "../../../../" could allow overwriting of arbitrary files stored on the file system. I'm working on a reproducer for this issue, will post additional comments to let you know.

N.B., if I'm not mistaken the version of librepo in RHEL-7 did not include the aforementioned functions, though the same vulnerable lr_pathconcat()/open() can be found in prepare_repo_download_targets(). That's why I consider RHEL-7 to be affected too.

Comment 8 Mauro Matteo Cascella 2020-08-07 14:23:17 UTC

Statement:

This issue is rated as having Moderate impact on Red Hat Enterprise Linux 7 because `DNF` is not installed by default. The `DNF` package is available through the Extras channel as an enhancement to YUM 3. Both Fedora and Red Hat Enterprise Linux leverage transport security and package signatures to ship software to their users in a safe way.

Fedora provides a centralized, non-mirrored Fedora-run metalink service which provides a list if active mirrors and the expected cryptographic digest of the `repomd.xml` files. yum uses this information to select a mirror and verify that it serves the up-to-date, untampered `repomd.xml`. The chain of cryptographic digests is verified from there, eventually leading to verification of the .rpm file contents.

Red Hat uses a different option to distribute Red Hat Enterprise Linux and its RPM-based products: a content-distribution network, managed by a trusted third party. Furthermore, the repositories provided by Red Hat use a separate public key infrastructure which is managed by Red Hat. For further information, refer to the following articles.

[1] https://access.redhat.com/blogs/766093/posts/1976693

[2] https://access.redhat.com/articles/1373143

Comment 10 Mauro Matteo Cascella 2020-08-07 15:44:09 UTC

YUM 3 is not affected by this issue. As mentioned above, the DNF package (YUM 4) is shipped in RHEL-7 via the Extras channel. It's worth noting that the version of librepo in RHEL-7 does not allow file overwriting with arbitrary content; the targeted file ends up being overwritten with an empty file. This is most probably due to the O_TRUNC file status flag: https://github.com/rpm-software-management/librepo/blob/1.8.1/librepo/yum.c#L577.

Comment 11 Mauro Matteo Cascella 2020-08-10 12:35:23 UTC

Mitigation:

Avoid downloading software from untrusted third-party mirrors. Note that under normal circumstances, this flaw does not pose any threat to Red Hat users, as repositories are fully trusted and controlled by Red Hat.

Comment 12 Mauro Matteo Cascella 2020-08-10 13:26:08 UTC

Acknowledgments:

Name: Sergei Iudin <siudin>

Comment 13 Mauro Matteo Cascella 2020-08-13 11:15:41 UTC

Created librepo tracking bugs for this issue:

Affects: fedora-all [bug 1868639]

Comment 15 Mauro Matteo Cascella 2020-08-27 17:05:31 UTC

Upstream fix:
https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600

Comment 18 errata-xmlrpc 2020-09-08 09:41:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3658 https://access.redhat.com/errata/RHSA-2020:3658

Comment 19 Product Security DevOps Team 2020-09-08 13:19:44 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14352

Comment 22 errata-xmlrpc 2020-09-15 10:21:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3749 https://access.redhat.com/errata/RHSA-2020:3749

Comment 23 errata-xmlrpc 2020-09-15 16:30:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3756 https://access.redhat.com/errata/RHSA-2020:3756

Comment 29 errata-xmlrpc 2020-11-10 13:00:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5012 https://access.redhat.com/errata/RHSA-2020:5012

Note You need to log in before you can comment on or make changes to this bug.