Bug 1450369 (CVE-2017-7500)

Summary: CVE-2017-7500 rpm: Following symlinks to directories when installing packages allows privilege escalation
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cbuissar, ffesti, ignatenko, kardos.lubos, mjw, packaging-team-maint, pmatilai, security-response-team, vmukhame
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm 4.13.0.2, rpm 4.14.0 Doc Type: If docs needed, set a value
Doc Text:
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-02 13:51:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1467374    
Bug Blocks: 1450373    
Attachments:
Description Flags
Fix issue with directories changing meta data
none
Open newly created files with O_EXCL to make sure there is not a symlink already
none
Add check when reopening hard linked files
none
Open existing files with w+ to avoid messing up files if things go wrong. none

Description Adam Mariš 2017-05-12 10:56:33 UTC 
It was found that rpm follows symlinks to directories when installling packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens.

Upstream fix:
https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79 
https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9
Comment 1 Adam Mariš 2017-05-12 10:56:37 UTC 
Acknowledgments:

Name: Ludwig Nussel (SUSE)
Comment 3 Florian Festi 2017-05-16 12:42:14 UTC 
Created attachment 1279319 [details]
Fix issue with directories changing meta data

This only addresses half of the issue. RPM clearly should not touch /etc here but instead apply the meta data to the symlink itself.

This does not deal with the issue that rpm installs files at locations directed by altered/newly created symlinks.
Comment 4 Florian Festi 2017-05-23 15:22:41 UTC 
Created attachment 1281637 [details]
Open newly created files with O_EXCL to make sure there is not a symlink already
Comment 5 Florian Festi 2017-05-23 15:24:37 UTC 
Created attachment 1281638 [details]
Add check when reopening hard linked files

If the directory of a hard linked files is writable to a non priviledged user the user could try to replace the hard link with a symolic link during the istallation process and have rpm overwrite an arbitrary file. This check issues an error in this case.
Comment 6 Florian Festi 2017-05-23 15:25:14 UTC 
Created attachment 1281639 [details]
Open existing files with w+ to avoid messing up files if things go wrong.
Comment 7 Cedric Buissart 2017-05-24 13:26:04 UTC 
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Comment 9 Cedric Buissart 2017-07-03 14:56:08 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1467374]
Comment 10 Cedric Buissart 2017-07-03 15:42:05 UTC 
Comment on attachment 1281637 [details]
Open newly created files with O_EXCL to make sure there is not a symlink already

Moved to BZ 1452133
Comment 11 Cedric Buissart 2017-07-03 15:42:18 UTC 
Comment on attachment 1281639 [details]
Open existing files with w+ to avoid messing up files if things go wrong.

Moved to BZ 1452133
Comment 12 Cedric Buissart 2017-07-04 06:56:57 UTC 
Comment on attachment 1281638 [details]
Add check when reopening hard linked files

Moved to BZ 1452133
Comment 13 Panu Matilainen 2017-10-26 09:19:27 UTC 
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0.

The upstream fix is quite different from the patch in comment #3, because rpm really must follow legitimate symlinks to directories, the question is determining what is a legitimate link (and what isn't). 

The upstreamed rule is that rpm only follows directory symlinks owned by the target directory owner or root, longer rationale + the patches are here:
https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79
https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9
Comment 14 Cedric Buissart 2017-10-26 16:14:38 UTC 
Thanks!
Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Comment 15 Cedric Buissart 2017-11-02 13:51:41 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.