Bug 1452133 (CVE-2017-7501) - CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation
Summary: CVE-2017-7501 rpm: Following symlinks to files when installing packages allow...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7501
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1467375
Blocks: 1450373
TreeView+ depends on / blocked
 
Reported: 2017-05-18 12:12 UTC by Cedric Buissart
Modified: 2021-02-17 02:08 UTC (History)
8 users (show)

Fixed In Version: rpm 4.13.0.2, rpm 4.14.0
Doc Type: If docs needed, set a value
Doc Text:
It was found that rpm uses temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
Clone Of:
Environment:
Last Closed: 2017-11-02 13:51:49 UTC

Attachments (Terms of Use)
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already (2.47 KB, patch)
2017-07-03 15:37 UTC, Cedric Buissart 		no flags Details | Diff
2/3 Add check when reopening hard linked files (1.41 KB, patch)
2017-07-03 15:38 UTC, Cedric Buissart 		no flags Details | Diff
3/3 Open existing files with w+ to avoid messing up files if things go wrong. (827 bytes, patch)
2017-07-03 15:38 UTC, Cedric Buissart 		no flags Details | Diff
Show Obsolete (3) View All

Description Cedric Buissart 2017-05-18 12:12:31 UTC 
It was found that rpm follows symlinks to files when installing packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens.

Upstream fix:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 1 Cedric Buissart 2017-05-18 12:12:35 UTC 
Acknowledgments:

Name: Cedric Buissart (Red Hat)
Comment 2 Cedric Buissart 2017-05-24 13:26:10 UTC 
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Comment 4 Cedric Buissart 2017-07-03 14:56:49 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1467375]
Comment 5 Cedric Buissart 2017-07-03 15:37:31 UTC 
Created attachment 1293925 [details]
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
Comment 6 Cedric Buissart 2017-07-03 15:38:17 UTC 
Created attachment 1293926 [details]
2/3 Add check when reopening hard linked files
Comment 7 Cedric Buissart 2017-07-03 15:38:53 UTC 
Created attachment 1293927 [details]
3/3 Open existing files with w+ to avoid messing up files if things go wrong.
Comment 8 Panu Matilainen 2017-10-26 09:10:26 UTC 
Fixed upstream some time ago and now included in two releases: rpm 4.13.0.2 and 4.14.0.

The upstream patch is based on Florian's initial patches but differes in some details:
https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc
Comment 9 Cedric Buissart 2017-10-26 16:18:31 UTC 
Thanks!
Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Comment 10 Cedric Buissart 2017-11-02 13:51:56 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.