Bug 2212306

Summary: kexec %preun scriptlets allow a local attacker to remove arbitrary paths in the system
Product: [Fedora] Fedora Reporter: Zbigniew JÄ™drzejewski-Szmek <zbyszek>
Component: kexec-toolsAssignee: Coiby <coxu>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: awilliam, bhe, coxu, prudo, ruyang, ryncsn
Target Milestone: ---Keywords: Security
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-20 08:09:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2023-06-05 08:57:01 UTC 
The scriptlets start with:

if [ ! -f /run/ostree-booted ] && [ $1 == 2 ] && grep -q get-default-crashkernel /usr/bin/kdumpctl; then
  kdumpctl get-default-crashkernel kdump > /tmp/old_default_crashkernel 2>/dev/null
fi

Thus, if any local user does 'ln -s /tmp/old_default_crashkernel /some/path', the scriptlet will attempt to write to /some/path.

When testing whether this works, I realized that we set sysctl fs.protected_symlinks=1 the configuration provided by systemd, so this will just fail in most cases, instead of overwriting the file, turning this into a DOS rather than a security issue. But it's still just terrible. Please don't use a predictable file name in a shared directory.


Reproducible: Always
Comment 1 Fedora Release Engineering 2023-08-16 08:10:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Comment 2 Adam Williamson 2023-10-10 19:01:30 UTC 
I think this is addressed for F39+ in https://src.fedoraproject.org/rpms/kexec-tools/c/5b31b099ae9b40a8f832b07e8364d7b08025fdd6 (I don't know why Pagure isn't showing the diff correctly, but that commit dropped all use of /tmp/old_default_crashkernel from the spec). It's still present in F37 and F38, though.