1833042 – (CVE-2020-10737) CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack

Bug 1833042 (CVE-2020-10737) - CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack

Summary: CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkh...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-10737
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1833043 1833051 1833052
Blocks:	1829972
TreeView+	depends on / blocked

Reported:	2020-05-07 17:29 UTC by Marco Benatto
Modified:	2022-10-02 21:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:	oddjob-0.34.5, oddjob-0.34.6
Doc Type:	If docs needed, set a value
Doc Text:	A race condition was found in the mkhomedir tool shipped with the oddjob package. During the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:25:23 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4687	0	None	None	None	2020-11-04 03:01:06 UTC

Description Marco Benatto 2020-05-07 17:29:04 UTC

There's a race condition in the mkhomedir tool at the function oddjob_selinux_mkdir(). During the home user creation, while copying /etc/skel to the newly created home directory. An attacker may leverage this by creating a symbolic link to a target privileged directory, as oddjob_selinux_mkdir() doesn't verify the symlink expansion and user permissions, it would end up changing the target folder ownership for an the unprivileged user which home is being created by the tool.

Comment 1 Marco Benatto 2020-05-07 17:29:08 UTC

Acknowledgments:

Name: Matthias Gerstner (SUSE security team)

Comment 2 Marco Benatto 2020-05-07 17:29:41 UTC

Created oddjob tracking bugs for this issue:

Affects: fedora-all [bug 1833043]

Comment 9 Marco Benatto 2020-05-07 19:34:05 UTC

Upstream commit for this issue:
https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch

Comment 11 Product Security DevOps Team 2020-11-04 02:25:23 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10737

Comment 12 errata-xmlrpc 2020-11-04 03:01:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4687 https://access.redhat.com/errata/RHSA-2020:4687

Note You need to log in before you can comment on or make changes to this bug.