Bug 1600221 (CVE-2018-10897) - CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal
Summary: CVE-2018-10897 yum-utils: reposync: improper path validation may lead to dire...
Status: NEW
Alias: CVE-2018-10897
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180711,repo...
Keywords: Security
: 1552328 (view as bug list)
Depends On: 1600722 1600454 1600617 1600618 1600619 1601753 1609335
Blocks: 1549618 1598068 1595309
TreeView+ depends on / blocked
 
Reported: 2018-07-11 17:58 UTC by Scott Gayou
Modified: 2019-01-08 13:55 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2284 None None None 2018-07-30 14:57 UTC
Red Hat Product Errata RHSA-2018:2285 None None None 2018-07-30 14:53 UTC
Red Hat Product Errata RHSA-2018:2626 None None None 2018-09-04 13:43 UTC

Description Scott Gayou 2018-07-11 17:58:53 UTC
Reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository a user is syncing with, the attacker may be able to copy files outside of the destination directory via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files.

Comment 2 Andrej Nemec 2018-07-12 09:52:28 UTC
Created yum-utils tracking bugs for this issue:

Affects: fedora-all [bug 1600454]

Comment 10 Scott Gayou 2018-07-16 16:57:20 UTC
Acknowledgments:

Name: Jay Grizzard (Clover Network), Aaron Levy (Clover Network)

Comment 12 Doran Moppert 2018-07-17 07:51:14 UTC
Statement:

Red Hat Enterprise Virtualization includes reposync as a component from the base Enterprise Linux system. It is not used by virtualization or management components, and it is not generally useful to mirror untrusted repositories to either Hypervisor or Management Appliance. For Red Hat Enterprise Virtualization, this issue affects only unlikely configurations and thus is rated as Moderate.

Comment 14 Michal Domonkos 2018-07-20 08:05:59 UTC
*** Bug 1552328 has been marked as a duplicate of this bug. ***

Comment 26 Scott Gayou 2018-07-27 15:32:31 UTC
Created dnf-plugins-core tracking bugs for this issue:

Affects: fedora-all [bug 1609335]

Comment 27 errata-xmlrpc 2018-07-30 14:53:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2285 https://access.redhat.com/errata/RHSA-2018:2285

Comment 28 errata-xmlrpc 2018-07-30 14:57:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2284 https://access.redhat.com/errata/RHSA-2018:2284

Comment 29 errata-xmlrpc 2018-09-04 13:43:00 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2626 https://access.redhat.com/errata/RHSA-2018:2626


Note You need to log in before you can comment on or make changes to this bug.