Bug 1639076 – CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_one() allows for modification of file privileges

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1639076 - (CVE-2018-15687) CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_one() allows for modification of file privileges

Summary:	CVE-2018-15687 systemd: Dereference of symlinks in chown_recursive.c:chown_on...

Status:	NEW

Aliases:	CVE-2018-15687

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20181026,repor...
Keywords:	Security

Depends On:	1643367 1643368
Blocks:	1639078
	Show dependency tree / graph

Reported:	2018-10-14 22:35 EDT by Sam Fowler
Modified:	2018-10-31 03:54 EDT (History)
CC List:	25 users (show)

See Also:	https://launchpad.net/bugs/1796692
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-10-14 22:35:14 EDT

systemd is vulnerable to improper dereference of symlinks in the core/chown_recursive.c:chown_one() function. An attacker with local access can exploit this via services with certain configurations to modify the file permissions of arbitrary files.

Comment 1 Riccardo Schirone 2018-10-22 03:18:52 EDT

When using systemd's features CacheDirectory, LogsDirectory or StateDirectory together with the DynamicUser feature, systemd needs to recursively change ownership of those directories. While doing this, when the file is not a link the file mode is re-set to be sure the kernel doesn't change it (which could happen with SUID/SGID files), but an attacker may be able to bypass the link check and change the mode of any file in the filesystem.

Comment 2 Riccardo Schirone 2018-10-22 03:43:57 EDT

Statement:

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the vulnerable code was introduced in a newer version of the package.

Comment 3 Riccardo Schirone 2018-10-26 02:22:43 EDT

Patch currently under review at:
https://github.com/systemd/systemd/pull/10517

Comment 4 Riccardo Schirone 2018-10-26 02:24:23 EDT

Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 1643367]

Comment 6 Riccardo Schirone 2018-10-29 03:02:35 EDT

Acknowledgments:

Name: Ubuntu, Jann Horn (Google Project Zero)

Comment 7 Riccardo Schirone 2018-10-31 03:54:06 EDT

Upstream patch:
https://github.com/systemd/systemd/commit/dc81f52c4d07de0c24f16edf889120780d9ae734

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
bmcclain
dbaker
dblechte
dfediuck
eedri
jokerman
lnykryn
lpoetter
mgoldboi
michal.skrivanek
msekleta
rschiron
sbonazzo
security-response-team
sherold
ssahani
s
sthangav
systemd-maint-list
systemd-maint
trankin
ylavi
zbyszek
zjedrzej