CVE-2021-35939: 
NixOS vulnerability analysis and mitigation

CVE-2021-35939 is a security vulnerability in RPM (Red Hat Package Manager) discovered in 2021. The issue stems from an incomplete fix for previous vulnerabilities (CVE-2017-7500 and CVE-2017-7501), where the security check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges (CVE, Red Hat).

The vulnerability exists because the security check for unsafe symlinks was not performed for intermediary directories during package installation. The fix required complex refactoring of RPM internals, including converting all file system management operations to use the POSIX.1-2008 *at() family of calls. The issue was fixed in RPM version 4.18.0, which introduced new requirements for operating systems to support POSIX.1-2008 level APIs (RPM Release, GitHub PR).

The highest threat from this vulnerability is to data confidentiality, integrity, and system availability. An attacker could potentially gain root privileges by exploiting this flaw. The vulnerability requires that a similar directory structure exists both at the location where RPM operates and for the files the attacker wants to control (CVE).

The vulnerability was fixed in RPM version 4.18.0. The fix involves validating intermediate symlinks during installation and implementing comprehensive directory tree validation. Users should upgrade to RPM version 4.18.0 or later to address this vulnerability (RPM Release, Gentoo).