security update in Fedora 27 for rpm

Status: stable a year ago

An unfortunate regression in rpm 4.14.2 causes --setperms to behave incorrectly on symbolic links: file and directory permissions become world writable and executable on symlink targets. A similar flaw exists in --setugids, but it is less exploitable.

If you have used --setperms (or --setugids, or --restore) with rpm 4.14.2, you should ensure system integrity with rpm --verify before proceeding to correct any mixed up permissions and ownerships to avoid possibly giving suid capabilities to a modified binary.

Further details of the --setperms bug available upstream: http://rpm.org/wiki/Releases/

Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-2c9120d494

Comments 11

This update has been submitted for testing by pmatilai.

This update has been pushed to testing.

pmatilai edited this update.

works for me in a VM

karma: +1

Works for me

karma: +1

No regressions noted.

karma: +1 critpath: +1

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

no regressions noted

karma: +1

This update has been submitted for batched by pmatilai.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 5
unstable threshold: -3
Autopush (karma)
Autopush (time)
submitted a year ago
in testing a year ago
in stable a year ago
modified a year ago

Automated Test Results