systemd is vulnerable to improper dereference of symlinks in the core/chown_recursive.c:chown_one() function. An attacker with local access can exploit this via services with certain configurations to modify the file permissions of arbitrary files.
When using systemd's features CacheDirectory, LogsDirectory or StateDirectory together with the DynamicUser feature, systemd needs to recursively change ownership of those directories. While doing this, when the file is not a link the file mode is re-set to be sure the kernel doesn't change it (which could happen with SUID/SGID files), but an attacker may be able to bypass the link check and change the mode of any file in the filesystem.
This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as the vulnerable code was introduced in a newer version of the package.
Patch currently under review at:
Created systemd tracking bugs for this issue:
Affects: fedora-all [bug 1643367]
Name: Ubuntu, Jann Horn (Google Project Zero)
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):