Bug 1157882 (CVE-2021-35937)

Summary: VUL-0: CVE-2021-35937: rpm: TOCTOU race in checks for unsafe symlinks
Product: [Novell Products] SUSE Security Incidents Reporter: Malte Kraus <malte.kraus>
Component: IncidentsAssignee: Michael Schröder <mls>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: cathy.hu, gabriele.sonnu, jsegitz, lnussel, mls, msiddiqu, pmatilai, stoyan.manolov
Version: unspecifiedFlags: gabriele.sonnu: needinfo? (mls)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/248052/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-35937:6.3:(AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Malte Kraus 2019-11-27 12:09:43 UTC
In response to CVE-2017-7500 and CVE-2017-7501, it was decided that the policy of RPM is "Only follow directory symlinks owned by target directory owner or root." [1]. This check was implemented in a way that is subject to race conditions. 

If an attacker manages to change things between the call to lstat() that finds a safe symlink and the open() that creates a new file, the policy is not enforced.

Exploits are tricky because of the narrow timing window between the calls, but mazes [2] could probably be used to delay the stat() long enough for a reliable exploit.

Fixing this would require opening the directory with O_PATH|O_NOFOLLOW, followed by fstat() to check ownership and openat() to create the final file.


1: https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79
2: https://www.usenix.org/legacy/event/sec05/tech/full_papers/borisov/borisov.pdf

See also bnc#1157880.
Comment 3 Johannes Segitz 2021-03-01 15:30:03 UTC
contacted upstream about this, will make it public this or next week
Comment 4 Johannes Segitz 2021-03-02 13:02:01 UTC
Panu is looking into this, moving
CRD: 2021-03-16
preliminary to prevent the bot from freaking out starting today
Comment 5 Johannes Segitz 2021-04-01 08:42:05 UTC
Upstream maintainer is looking into this. Because if this I restart the 
CRD: 2021-06-30
to have a reasonable chance to fix this
Comment 6 Johannes Segitz 2021-04-28 13:19:54 UTC
reminder ping :)
Comment 7 Johannes Segitz 2021-06-16 09:13:51 UTC
Any progress on this? We're getting close to the CRD. Thanks
Comment 8 Johannes Segitz 2021-06-30 12:14:39 UTC
CRD reached, making it public to give the community a chance to work on this
Comment 12 Stoyan Manolov 2022-09-16 08:20:37 UTC
This fix cannot be easily backported. The upstream fixes are scheduled for the next rpm major release and they are currently in beta phase. We will come back to this upon releasing the next rpm major version.