Bug 1375490 (CVE-2016-6299)
| Summary: | CVE-2016-6299 mock: privilige escalation via mock-scm | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | fweimer, jdisnard, mebrown, msimacek, msuchy, praiskup, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-03 06:30:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1375493, 1375496 | ||
| Bug Blocks: | |||
Acknowledgments: Name: Florian Weimer (Red Hat) Created mock tracking bugs for this issue: Affects: fedora-all [bug 1375493] Affects: epel-all [bug 1375496] distribution-gpg-keys-1.7-1.fc24, mock-1.2.21-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. distribution-gpg-keys-1.7-1.fc25, mock-1.2.21-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. Closing because all referenced bugs have been closed. |
It was found that mock's scm plug-in would parse a given spec file with root priviliges. This could allow an attacker who is able to start a build of an rpm with a specially crafted spec file within mock's environment to elevate their priviliges and escape the chroot. The vulnerable code in scm.py is: ts = rpm.ts() rpm_spec = ts.parseSpec(self.spec) # the spec file is parsed as root self.name = rpm.expandMacro("%{name}")