Bug 1452133 (CVE-2017-7501)
Summary: | CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Cedric Buissart <cbuissar> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dengguoqiang, ignatenko, kardos.lubos, mjw, packaging-team-maint, pmatilai, security-response-team, vmukhame |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rpm 4.13.0.2, rpm 4.14.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that rpm uses temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-02 13:51:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1467375 | ||
Bug Blocks: | 1450373 | ||
Attachments: |
Description
Cedric Buissart
2017-05-18 12:12:31 UTC
Acknowledgments: Name: Cedric Buissart (Red Hat) To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too. Created rpm tracking bugs for this issue: Affects: fedora-all [bug 1467375] Created attachment 1293925 [details]
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
Created attachment 1293926 [details]
2/3 Add check when reopening hard linked files
Created attachment 1293927 [details]
3/3 Open existing files with w+ to avoid messing up files if things go wrong.
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0. The upstream patch is based on Florian's initial patches but differes in some details: https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc Thanks! Obsoleting the attached patch to prevent confusion & adding the links to the bug description. Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |