CVE-2020-10737

NameCVE-2020-10737
DescriptionA race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the homedir path. This flaw allows an attacker to leverage this issue by creating a symlink point to a target folder, which then has its ownership transferred to the new home directory's unprivileged user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs960089

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
oddjob (PTS)buster0.34.4-1vulnerable
bullseye0.34.6-1fixed
bookworm0.34.7-1fixed
sid, trixie0.34.7-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
oddjobsource(unstable)0.34.6-1960089

Notes

[buster] - oddjob <no-dsa> (Minor issue)
[stretch] - oddjob <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1833042
https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac
Search for package or bug name: Reporting problems