FEDORA-2018-f571542e45 created by ignatenkobrain 2 years ago for Fedora 28
stable

Push name/epoch/version/release macro for dependency generators


An unfortunate regression in rpm 4.14.2 causes --setperms to behave incorrectly on symbolic links: file and directory permissions become world writable and executable on symlink targets. A similar flaw exists in --setugids, but it is less exploitable.

If you have used --setperms (or --setugids, or --restore) with rpm 4.14.2, you should ensure system integrity with rpm --verify before proceeding to correct any mixed up permissions and ownerships to avoid possibly giving suid capabilities to a modified binary.

Further details of the --setperms bug available upstream: http://rpm.org/wiki/Releases/4.14.2.1

Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-f571542e45

This update has been submitted for testing by ignatenkobrain.

2 years ago

This update has obsoleted rpm-4.14.2.1-1.fc28, and has inherited its bugs and notes.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon hreindl commented & provided feedback 2 years ago
karma

works for me

User Icon samoht0 commented & provided feedback 2 years ago
karma

works for me

This update has been submitted for batched by bodhi.

2 years ago

This update has been submitted for stable by ignatenkobrain.

2 years ago

This update has been pushed to stable.

2 years ago

@ignatenkobrain, you obsoleted a fairly critical security update with this nice-to-have enhancement update, invalidating the testing on the original package thus delaying it's route to stable, and dropping the security rating on the way. Damage already done on this one, but don't do that again! Please edit the type and severity on this one to security to match the original if bodhi still allows that.


Please login to add feedback.

Metadata
Type
enhancement
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
2
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago

Automated Test Results