Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1452133 - (CVE-2017-7501) CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation
CVE-2017-7501 rpm: Following symlinks to files when installing packages allow...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170703,repor...
: Security
Depends On: 1467375
Blocks: 1450373
  Show dependency treegraph
 
Reported: 2017-05-18 08:12 EDT by Cedric Buissart
Modified: 2018-09-10 23:52 EDT (History)
8 users (show)

See Also:
Fixed In Version: rpm 4.13.0.2, rpm 4.14.0
Doc Type: If docs needed, set a value
Doc Text:
It was found that rpm uses temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-02 09:51:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already (2.47 KB, patch)
2017-07-03 11:37 EDT, Cedric Buissart 		no flags Details | Diff
2/3 Add check when reopening hard linked files (1.41 KB, patch)
2017-07-03 11:38 EDT, Cedric Buissart 		no flags Details | Diff
3/3 Open existing files with w+ to avoid messing up files if things go wrong. (827 bytes, patch)
2017-07-03 11:38 EDT, Cedric Buissart 		no flags Details | Diff
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Cedric Buissart 2017-05-18 08:12:31 EDT 
It was found that rpm follows symlinks to files when installing packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens.

Upstream fix:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 1 Cedric Buissart 2017-05-18 08:12:35 EDT 
Acknowledgments:

Name: Cedric Buissart (Red Hat)
Comment 2 Cedric Buissart 2017-05-24 09:26:10 EDT 
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Comment 4 Cedric Buissart 2017-07-03 10:56:49 EDT 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1467375]
Comment 5 Cedric Buissart 2017-07-03 11:37 EDT 
Created attachment 1293925 [details]
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
Comment 6 Cedric Buissart 2017-07-03 11:38 EDT 
Created attachment 1293926 [details]
2/3 Add check when reopening hard linked files
Comment 7 Cedric Buissart 2017-07-03 11:38 EDT 
Created attachment 1293927 [details]
3/3 Open existing files with w+ to avoid messing up files if things go wrong.
Comment 8 Panu Matilainen 2017-10-26 05:10:26 EDT 
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0.

The upstream patch is based on Florian's initial patches but differes in some details:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 9 Cedric Buissart 2017-10-26 12:18:31 EDT 
Thanks!
Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Comment 10 Cedric Buissart 2017-11-02 09:51:56 EDT 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.