It was found that mock's scm plug-in would parse a given spec file with root priviliges. This could allow an attacker who is able to start a build of an rpm with a specially crafted spec file within mock's environment to elevate their priviliges and escape the chroot. The vulnerable code in scm.py is: ts = rpm.ts() rpm_spec = ts.parseSpec(self.spec) # the spec file is parsed as root self.name = rpm.expandMacro("%{name}")
Acknowledgments: Name: Florian Weimer (Red Hat)
Created mock tracking bugs for this issue: Affects: fedora-all [bug 1375493] Affects: epel-all [bug 1375496]
distribution-gpg-keys-1.7-1.fc24, mock-1.2.21-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
distribution-gpg-keys-1.7-1.fc25, mock-1.2.21-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Closing because all referenced bugs have been closed.