Bug 1833042 (CVE-2020-10737) - CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack
Summary: CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkh...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10737
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1833043 1833051 1833052
Blocks: 1829972
TreeView+ depends on / blocked
 
Reported: 2020-05-07 17:29 UTC by Marco Benatto
Modified: 2022-10-02 21:47 UTC (History)
3 users (show)

Fixed In Version: oddjob-0.34.5, oddjob-0.34.6
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in the mkhomedir tool shipped with the oddjob package. During the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:25:23 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4687 0 None None None 2020-11-04 03:01:06 UTC

Description Marco Benatto 2020-05-07 17:29:04 UTC
There's a race condition in the mkhomedir tool at the function oddjob_selinux_mkdir(). During the home user creation, while copying /etc/skel to the newly created home directory. An attacker may leverage this by creating a symbolic link to a target privileged directory, as oddjob_selinux_mkdir() doesn't verify the symlink expansion and user permissions, it would end up changing the target folder ownership for an the unprivileged user which home is being created by the tool.

Comment 1 Marco Benatto 2020-05-07 17:29:08 UTC
Acknowledgments:

Name: Matthias Gerstner (SUSE security team)

Comment 2 Marco Benatto 2020-05-07 17:29:41 UTC
Created oddjob tracking bugs for this issue:

Affects: fedora-all [bug 1833043]

Comment 9 Marco Benatto 2020-05-07 19:34:05 UTC
Upstream commit for this issue:
https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch

Comment 11 Product Security DevOps Team 2020-11-04 02:25:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10737

Comment 12 errata-xmlrpc 2020-11-04 03:01:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4687 https://access.redhat.com/errata/RHSA-2020:4687


Note You need to log in before you can comment on or make changes to this bug.