[Rpm-maint] [rpm-software-management/rpm] Non-root owned symlink causes install failure (Issue #3100)

Panu Matilainen notifications at github.com
Thu Jun 20 06:38:48 UTC 2024


So seeing this thing was like popping a cork in my head and then all the memories of the symlink CVE's bubbling up throughout yesterday evening to entertain me... Commenting here instead of the PR because there's more to this than what's in the PR now.

This error is not a system error so there's no errno that will adequately, much less satisfactorily match the situation. Been there, pored through it. It's an rpm specific error, and that you now added here. I was about to say I don't remember why I didn't add that a specific error for this, but actually I did: 2668a2cabfe097d58adb9810da1cc8aa7fe1cc91. Only I forgot to actually use it :laughing: . So, we don't need a new code for it.

Don't add any EPERM in there, ENOTDIR is technically the right thing for mimicing O_DIRECTORY behavior as it intends to. Instead, this invalid symlink thing can happen in any number of situations, not all of them related to directories. It needs to be caught inside the "follow links" condition and reported as the already existing RPMERR_INVALID_SYMLINK. And then make sure the O_DIRECTORY logic doesn't mess up the code. I think it doesn't but you'll want to double-check.

Finally, besides reporting the invalid symlink as such when encountered, the right thing to do is to catch this in the pre-flight checks and prevent the transaction from even starting. It doesn't remove the need to handle it inside the fsm - the fsm needs to catch it real-time like it does now to prevent bad actors, but the pre-flight check should be there to catch admin mistakes such as in the original report. Failing an update mid-transaction can have pretty catastrophic consequences so we should catch what we can. I didn't chase that back then because fixing the CVE was the priority.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3100#issuecomment-2179928290
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3100/2179928290 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240619/ac08edcb/attachment-0001.html>


More information about the Rpm-maint mailing list