It was found that rpm follows symlinks to directories when installling packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens. Upstream fix: https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79 https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9
Acknowledgments: Name: Ludwig Nussel (SUSE)
Created attachment 1279319 [details] Fix issue with directories changing meta data This only addresses half of the issue. RPM clearly should not touch /etc here but instead apply the meta data to the symlink itself. This does not deal with the issue that rpm installs files at locations directed by altered/newly created symlinks.
Created attachment 1281637 [details] Open newly created files with O_EXCL to make sure there is not a symlink already
Created attachment 1281638 [details] Add check when reopening hard linked files If the directory of a hard linked files is writable to a non priviledged user the user could try to replace the hard link with a symolic link during the istallation process and have rpm overwrite an arbitrary file. This check issues an error in this case.
Created attachment 1281639 [details] Open existing files with w+ to avoid messing up files if things go wrong.
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Created rpm tracking bugs for this issue: Affects: fedora-all [bug 1467374]
Comment on attachment 1281637 [details] Open newly created files with O_EXCL to make sure there is not a symlink already Moved to BZ 1452133
Comment on attachment 1281639 [details] Open existing files with w+ to avoid messing up files if things go wrong. Moved to BZ 1452133
Comment on attachment 1281638 [details] Add check when reopening hard linked files Moved to BZ 1452133
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0. The upstream fix is quite different from the patch in comment #3, because rpm really must follow legitimate symlinks to directories, the question is determining what is a legitimate link (and what isn't). The upstreamed rule is that rpm only follows directory symlinks owned by the target directory owner or root, longer rationale + the patches are here: https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79 https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9
Thanks! Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.