Bug 1452133 (CVE-2017-7501)

Summary: CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dengguoqiang, ignatenko, kardos.lubos, mjw, packaging-team-maint, pmatilai, security-response-team, vmukhame
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm 4.13.0.2, rpm 4.14.0 Doc Type: If docs needed, set a value
Doc Text:
It was found that rpm uses temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-02 13:51:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1467375    
Bug Blocks: 1450373    
Attachments:
Description Flags
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
none
2/3 Add check when reopening hard linked files
none
3/3 Open existing files with w+ to avoid messing up files if things go wrong. none

Description Cedric Buissart 2017-05-18 12:12:31 UTC 
It was found that rpm follows symlinks to files when installing packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens.

Upstream fix:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 1 Cedric Buissart 2017-05-18 12:12:35 UTC 
Acknowledgments:

Name: Cedric Buissart (Red Hat)
Comment 2 Cedric Buissart 2017-05-24 13:26:10 UTC 
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Comment 4 Cedric Buissart 2017-07-03 14:56:49 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1467375]
Comment 5 Cedric Buissart 2017-07-03 15:37:31 UTC 
Created attachment 1293925 [details]
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
Comment 6 Cedric Buissart 2017-07-03 15:38:17 UTC 
Created attachment 1293926 [details]
2/3 Add check when reopening hard linked files
Comment 7 Cedric Buissart 2017-07-03 15:38:53 UTC 
Created attachment 1293927 [details]
3/3 Open existing files with w+ to avoid messing up files if things go wrong.
Comment 8 Panu Matilainen 2017-10-26 09:10:26 UTC 
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0.

The upstream patch is based on Florian's initial patches but differes in some details:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 9 Cedric Buissart 2017-10-26 16:18:31 UTC 
Thanks!
Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Comment 10 Cedric Buissart 2017-11-02 13:51:56 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.