Bug 2252206 (CVE-2023-6395)

Summary: CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: templated_dictionary 1.4.1 Doc Type: If docs needed, set a value
Doc Text:
The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. While the Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users might inadvertently permit less privileged users to define configuration tags. These tags could then be passed as parameters to mock during execution, potentially leading to the utilization of Jinja2 templates for remote privilege escalation and the execution of arbitrary code as the root user on the build server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258607, 2258608    
Bug Blocks: 2252205    

Description Marco Benatto 2023-11-30 05:36:36 UTC 
There is a flaw in the Mock software where an attacker may achieve privilege escalation and execute arbitrary code as the root user. This is due to the lack of sandboxing when expanding and executing Jinja2 templates that may be included in some configuration parameters.
Mock documentation recommends that users added to the mock group on a system be treated as privileged users. However, some build systems that invoke mock on behalf of users may unintentionally allow less privileged users to define configuration tags that will be passed to mock as parameters when run. Configuration tags that allow Jinja2 templates could be used to achieve remote privilege escalation and run arbitrary code as root on the build server.
Comment 5 Marco Benatto 2024-01-16 13:53:13 UTC 
Created mock tracking bugs for this issue:

Affects: epel-all [bug 2258608]
Affects: fedora-all [bug 2258607]
Comment 6 Marco Benatto 2024-01-16 14:05:03 UTC 
Upstream commits for this issue:
https://github.com/xsuchy/templated-dictionary/commit/bcd90f0dafa365575c4b101e6f5d98c4ef4e4b69
https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933