Bugzilla – Bug 1157882
VUL-0: CVE-2021-35937: rpm: TOCTOU race in checks for unsafe symlinks
Last modified: 2022-09-16 08:20:37 UTC
In response to CVE-2017-7500 and CVE-2017-7501, it was decided that the policy of RPM is "Only follow directory symlinks owned by target directory owner or root." . This check was implemented in a way that is subject to race conditions.
If an attacker manages to change things between the call to lstat() that finds a safe symlink and the open() that creates a new file, the policy is not enforced.
Exploits are tricky because of the narrow timing window between the calls, but mazes  could probably be used to delay the stat() long enough for a reliable exploit.
Fixing this would require opening the directory with O_PATH|O_NOFOLLOW, followed by fstat() to check ownership and openat() to create the final file.
See also bnc#1157880.
contacted upstream about this, will make it public this or next week
Panu is looking into this, moving
preliminary to prevent the bot from freaking out starting today
Upstream maintainer is looking into this. Because if this I restart the
to have a reasonable chance to fix this
reminder ping :)
Any progress on this? We're getting close to the CRD. Thanks
CRD reached, making it public to give the community a chance to work on this
This fix cannot be easily backported. The upstream fixes are scheduled for the next rpm major release and they are currently in beta phase. We will come back to this upon releasing the next rpm major version.