Bug 1157882 - (CVE-2021-35937) VUL-0: CVE-2021-35937: rpm: TOCTOU race in checks for unsafe symlinks
VUL-0: CVE-2021-35937: rpm: TOCTOU race in checks for unsafe symlinks
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Michael Schröder
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-11-27 12:09 UTC by Malte Kraus
Modified: 2022-01-03 16:27 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gabriele.sonnu: needinfo? (mls)


Note You need to log in before you can comment on or make changes to this bug.
Description Malte Kraus 2019-11-27 12:09:43 UTC
In response to CVE-2017-7500 and CVE-2017-7501, it was decided that the policy of RPM is "Only follow directory symlinks owned by target directory owner or root." [1]. This check was implemented in a way that is subject to race conditions. 

If an attacker manages to change things between the call to lstat() that finds a safe symlink and the open() that creates a new file, the policy is not enforced.

Exploits are tricky because of the narrow timing window between the calls, but mazes [2] could probably be used to delay the stat() long enough for a reliable exploit.

Fixing this would require opening the directory with O_PATH|O_NOFOLLOW, followed by fstat() to check ownership and openat() to create the final file.

1: https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79
2: https://www.usenix.org/legacy/event/sec05/tech/full_papers/borisov/borisov.pdf

See also bnc#1157880.
Comment 3 Johannes Segitz 2021-03-01 15:30:03 UTC
contacted upstream about this, will make it public this or next week
Comment 4 Johannes Segitz 2021-03-02 13:02:01 UTC
Panu is looking into this, moving
CRD: 2021-03-16
preliminary to prevent the bot from freaking out starting today
Comment 5 Johannes Segitz 2021-04-01 08:42:05 UTC
Upstream maintainer is looking into this. Because if this I restart the 
CRD: 2021-06-30
to have a reasonable chance to fix this
Comment 6 Johannes Segitz 2021-04-28 13:19:54 UTC
reminder ping :)
Comment 7 Johannes Segitz 2021-06-16 09:13:51 UTC
Any progress on this? We're getting close to the CRD. Thanks
Comment 8 Johannes Segitz 2021-06-30 12:14:39 UTC
CRD reached, making it public to give the community a chance to work on this
Comment 9 Gabriele Sonnu 2021-12-24 08:33:29 UTC
Hi, Hi, any update on this?