Bug 1532284 (CVE-2017-18018)

Summary: CVE-2017-18018 coreutils: race condition vulnerability in chown and chgrp
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, jamartis, jarodwilson, kdudka, kzak, lpardo, ooprala, ovasik, p, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:36:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1532285    
Bug Blocks:    

Description Laura Pardo 2018-01-08 15:10:03 UTC 
A flaw was found in GNU Coreutils through 8.29 in chown-core.c. The functions chown and chgrp do not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.


References:
http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
Comment 1 Laura Pardo 2018-01-08 15:10:48 UTC 
Created coreutils tracking bugs for this issue:

Affects: fedora-all [bug 1532285]
Comment 2 Kamil Dudka 2018-01-09 08:17:41 UTC 
Do I understand it correctly that CVE-2017-18018 was fixed as documentation bug only?  What are you expecting to happen?  The documentation fix being applied on Fedora release via security update?

Are you assuming that Fedora users read the info documentation thoroughly enough to actually notice the documentation update?
Comment 3 Andrej Nemec 2018-01-11 15:52:32 UTC 
(In reply to Kamil Dudka from comment #2)
> Do I understand it correctly that CVE-2017-18018 was fixed as documentation
> bug only?  What are you expecting to happen?  The documentation fix being
> applied on Fedora release via security update?
> 
> Are you assuming that Fedora users read the info documentation thoroughly
> enough to actually notice the documentation update?

Hey Kamil, you definitely don't need to do an async release for this kind of issue, that's your call. This was mainly filed so that we are tracking it's existence and the fact that it got a CVE identifier. I think it's fine to wait for the next upstream release which should contain the updated documentation. Feel free to wontfix the tracker if you want.