SB2022103168 - Gentoo update for RPM

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-3521)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error in RPM's signature functionality, as RPM does not check the binding signature of subkeys before importing them. A remote attacker with ability to add malicious subkey to a legitimate public key can run malicious code on the system.

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-35937)

The vulnerability allows a local privileged user to escalate privileges on the system.

The vulnerability exist due to race condition. A local privileged user can bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges.

3) Link following (CVE-ID: CVE-2021-35938)

The vulnerability allows a local privileged user to escalate privileges on the system.

The vulnerability occurs when rpm sets the desired permissions and credentials after installing a file. A local privileged user can use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system.

4) Link following (CVE-ID: CVE-2021-35939)

The vulnerability allows a local privileged user to escalate privileges on the system.

The vulnerability exist due to fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local privileged user who owns another ancestor directory could potentially use this flaw to gain root privileges.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202210-22