FEDORA-2018-aa8855384d created by pmatilai a year ago for Fedora 28
obsolete

An unfortunate regression in rpm 4.14.2 causes --setperms to behave incorrectly on symbolic links: file and directory permissions become world writable and executable on symlink targets. A similar flaw exists in --setugids, but it is less exploitable.

If you have used --setperms (or --setugids, or --restore) with rpm 4.14.2, you should ensure system integrity with rpm --verify before proceeding to correct any mixed up permissions and ownerships to avoid possibly giving suid capabilities to a modified binary.

Further details of the --setperms bug available upstream: http://rpm.org/wiki/Releases/4.14.2.1

Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.

This update has been submitted for testing by pmatilai.

a year ago

This update has been pushed to testing.

a year ago

pmatilai edited this update.

a year ago
User Icon cserpentis commented & provided feedback a year ago
karma

works for me in a VM

User Icon hreindl commented & provided feedback a year ago
karma

works for me

User Icon dhgutteridge commented & provided feedback a year ago
karma

No regressions noted.

User Icon filiperosset commented & provided feedback a year ago
karma

no regressions noted

User Icon decathorpe commented & provided feedback a year ago
karma

Has worked fine for over three days now.

This update has been obsoleted by rpm-4.14.2.1-2.fc28.

a year ago
User Icon ngompa commented & provided feedback a year ago
karma

Works for me.


Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
6
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
a year ago
in testing
a year ago
modified
a year ago

Automated Test Results