Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2024 11:36:07 -0300
From: Marco Benatto <>
Cc: Pavel Raiskup <>, Zack Miele <>
Subject: CVE-2023-6395 Mock: Privilege escalation for users that can access
 mock configuration


There is a flaw in the Mock software
( where an attacker
may achieve privilege escalation and execute arbitrary code as the
root user. This is due to the lack of sandboxing when expanding and
executing Jinja2 templates that may be included in some configuration

Mock is a chroot build environment manager for building RPM packages.
Mock uses Jinja2 templates for expanding configuration parameters
through the TemplatedDictionary python class.

This feature was introduced in mock 1.4 back in 2019 [1] and in 2021
the TemplatedDictionary code was split out to a separate project [2].

Mock documentation recommends that users added to the mock group on a
system be treated as privileged users [3]. However, some build systems
that invoke mock on behalf of users may unintentionally allow less
privileged users to define configuration tags that will be passed to
mock as parameters when run. Configuration tags that allow Jinja2
templates could be used to achieve remote privilege escalation and run
arbitrary code as root on the build server.

This issue is being identified by the CVE ID: CVE-2023-6395 with the
following CVSSv3.1 score:


The upstream patches for this issue can be found at:

The provided patches target the templated-dictionary module [4].

Please don't hesitate to reach us out in case of any doubts or concerns.

We would like to thank Sankin Nikita Alexeevich, an independent
security researcher, for discovering and reporting this issue.



Marco Benatto
Red Hat Product Security for urgent response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.