CVE-2017-7500 — Link Following in RPM

CWE-59 — Link Following CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition19 documents7 sources

Severity

7.8HIGHNVD

NVD6.7NVD6.4

EPSS

0.0%

top 84.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RPM Debian RPM Fedoraproject Fedora +5 more

Timeline

PublishedAug 13

Latest updateAug 27

Description

It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

▶NVDrpm/rpm4.13.0.0 — 4.13.0.2+3

▶debiandebian/rpm< rpm 4.18.0+dfsg-1 (bookworm)+1

▶Debianrpm/rpm< 4.18.0+dfsg-1+2

▶CVEListV5rpm/rpmFixed in RPM-v4.18

▶msrcmsrc/cbl_mariner_2.0_arm

Also affects: Fedora 34, Enterprise Linux 6.0, 7.0, 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-prgv-w33h-5m73: It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to b↗2022-08-27

▶

GHSA

GHSA-63x9-9q4w-j636: A race condition vulnerability was found in rpm↗2022-08-26

▶

OSV

CVE-2021-35939: It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to b↗2022-08-26

▶

OSV

CVE-2021-35937: A race condition vulnerability was found in rpm↗2022-08-25

▶

GHSA

GHSA-2jc3-8rq8-7x2x: It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownershi↗2022-05-24

▶

📋Vendor Advisories

Microsoft

A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501 potentially gain↗2022-08-09

▶

Microsoft

It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns anot↗2022-08-09

▶

Red Hat

rpm: TOCTOU race in checks for unsafe symlinks↗2021-06-30

▶

Red Hat

rpm: checks for unsafe symlinks are not performed for intermediary directories↗2021-06-30

▶

Debian

CVE-2021-35937: rpm - A race condition vulnerability was found in rpm. A local unprivileged user could...↗2021

▶

💬Community

Bugzilla

CVE-2017-7500 rpm: Following symlinks to directories when installing packages allows privilege escalation [fedora-all]↗2017-07-03

▶

Bugzilla

CVE-2017-7500 rpm: Following symlinks to directories when installing packages allows privilege escalation↗2017-05-12

▶