This issue is somewhat similar to CVE-2023-6917 from a previous audit. `pmpost` is used to append messages to the "PCP notice board". It is called from different contexts, one of which is as `root` from within the `pmcd` startup script. The program writes the message provided on the command line to the file in /var/log/pcp/NOTICES. The directory /var/log/pcp belongs to pcp:pcp. The file is opened without passing the `O_NOFOLLOW` flag, thus it will open symlinks placed there by the pcp user. This would allow `pmpost` to be coerced into creating new files in arbitrary locations, or to corrupt arbitrary existing files in the system. Furthermore, if the NOTICES file is newly created and `pmpost` runs as root, then a `fchown()` to pcp:pcp is executed on the file. Thus it allows to pass the ownership of arbitrary newly created files in the system to pcp:pcp.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6846 https://access.redhat.com/errata/RHSA-2024:6846
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:6840 https://access.redhat.com/errata/RHSA-2024:6840
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6843 https://access.redhat.com/errata/RHSA-2024:6843
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6837 https://access.redhat.com/errata/RHSA-2024:6837
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:6842 https://access.redhat.com/errata/RHSA-2024:6842
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6844 https://access.redhat.com/errata/RHSA-2024:6844
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6847 https://access.redhat.com/errata/RHSA-2024:6847
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6848 https://access.redhat.com/errata/RHSA-2024:6848