Bug 1639076 (CVE-2018-15687)
Summary: | CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_one() allows for modification of file privileges | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, bmcclain, dbaker, dblechte, dfediuck, eedri, jokerman, lnykryn, lpoetter, mgoldboi, michal.skrivanek, msekleta, rschiron, sbonazzo, security-response-team, sherold, s, sthangav, systemd-maint-list, systemd-maint, trankin, zbyszek, zjedrzej |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:06:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1643367, 1643368 | ||
Bug Blocks: | 1639078 |
Description
Sam Fowler
2018-10-15 02:35:14 UTC
When using systemd's features CacheDirectory, LogsDirectory or StateDirectory together with the DynamicUser feature, systemd needs to recursively change ownership of those directories. While doing this, when the file is not a link the file mode is re-set to be sure the kernel doesn't change it (which could happen with SUID/SGID files), but an attacker may be able to bypass the link check and change the mode of any file in the filesystem. Statement: This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the vulnerable code was introduced in a newer version of the package. Patch currently under review at: https://github.com/systemd/systemd/pull/10517 Created systemd tracking bugs for this issue: Affects: fedora-all [bug 1643367] Acknowledgments: Name: Ubuntu, Jann Horn (Google Project Zero) This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-15687 |