There's a race condition in the mkhomedir tool at the function oddjob_selinux_mkdir(). During the home user creation, while copying /etc/skel to the newly created home directory. An attacker may leverage this by creating a symbolic link to a target privileged directory, as oddjob_selinux_mkdir() doesn't verify the symlink expansion and user permissions, it would end up changing the target folder ownership for an the unprivileged user which home is being created by the tool.
Acknowledgments: Name: Matthias Gerstner (SUSE security team)
Created oddjob tracking bugs for this issue: Affects: fedora-all [bug 1833043]
Upstream commit for this issue: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10737
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4687 https://access.redhat.com/errata/RHSA-2020:4687