CVE-2021-35937: 
NixOS vulnerability analysis and mitigation

A race condition vulnerability was found in rpm (CVE-2021-35937). A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The vulnerability was discovered in 2021 and affects the RPM Package Manager, which is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages (MITRE, Ubuntu).

The vulnerability stems from a Time-of-Check-Time-of-Use (TOCTOU) race condition in the way RPM handles symlink checks. The issue occurs between the call to lstat() that finds a safe symlink and the open() that creates a new file, where the policy of "Only follow directory symlinks owned by target directory owner or root" is not properly enforced. While exploits are challenging due to the narrow timing window between calls, techniques like mazes could potentially be used to delay the stat() long enough for a reliable exploit (Red Hat Bugzilla).

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A successful exploit could allow an unprivileged local user to gain root privileges on the system. This could lead to complete system compromise (MITRE).

The vulnerability was fixed in RPM version 4.18.0. Organizations should upgrade to this or later versions to mitigate the risk. The fix involved refactoring file and directory operations to use fd-based APIs throughout (RPM Release). Various Linux distributions have also released security updates to address this vulnerability, including Red Hat Enterprise Linux and Ubuntu.