Bug 1833042 (CVE-2020-10737) - CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack
Summary: CVE-2020-10737 oddjob: race condition in oddjob_selinux_mkdir function in mkh...
Keywords:
Status: NEW
Alias: CVE-2020-10737
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1833051 1833052 1833043
Blocks: 1829972
TreeView+ depends on / blocked
 
Reported: 2020-05-07 17:29 UTC by Marco Benatto
Modified: 2020-05-12 16:02 UTC (History)
3 users (show)

Fixed In Version: oddjob-0.34.5, oddjob-0.34.6
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in the mkhomedir tool shipped with the oddjob package. During the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marco Benatto 2020-05-07 17:29:04 UTC
There's a race condition in the mkhomedir tool at the function oddjob_selinux_mkdir(). During the home user creation, while copying /etc/skel to the newly created home directory. An attacker may leverage this by creating a symbolic link to a target privileged directory, as oddjob_selinux_mkdir() doesn't verify the symlink expansion and user permissions, it would end up changing the target folder ownership for an the unprivileged user which home is being created by the tool.

Comment 1 Marco Benatto 2020-05-07 17:29:08 UTC
Acknowledgments:

Name: Matthias Gerstner (SUSE security team)

Comment 2 Marco Benatto 2020-05-07 17:29:41 UTC
Created oddjob tracking bugs for this issue:

Affects: fedora-all [bug 1833043]

Comment 9 Marco Benatto 2020-05-07 19:34:05 UTC
Upstream commit for this issue:
https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac?branch


Note You need to log in before you can comment on or make changes to this bug.