Bug 2212306

Summary: kexec %preun scriptlets allow a local attacker to remove arbitrary paths in the system
Product: [Fedora] Fedora Reporter: Zbigniew JÄ™drzejewski-Szmek <zbyszek>
Component: kexec-toolsAssignee: Coiby <coxu>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: bhe, coxu, ruyang, ryncsn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2023-06-05 08:57:01 UTC 
The scriptlets start with:

if [ ! -f /run/ostree-booted ] && [ $1 == 2 ] && grep -q get-default-crashkernel /usr/bin/kdumpctl; then
  kdumpctl get-default-crashkernel kdump > /tmp/old_default_crashkernel 2>/dev/null
fi

Thus, if any local user does 'ln -s /tmp/old_default_crashkernel /some/path', the scriptlet will attempt to write to /some/path.

When testing whether this works, I realized that we set sysctl fs.protected_symlinks=1 the configuration provided by systemd, so this will just fail in most cases, instead of overwriting the file, turning this into a DOS rather than a security issue. But it's still just terrible. Please don't use a predictable file name in a shared directory.


Reproducible: Always
Comment 1 Fedora Release Engineering 2023-08-16 08:10:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.