Bug 125517
Summary: | CVE-2005-4889 rpm: Updates leave hardlinked copies untouched. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Schröder <mls> | ||||||
Component: | rpm | Assignee: | Paul Nasrat <nobody+pnasrat> | ||||||
Status: | CLOSED UPSTREAM | QA Contact: | Mike McLean <mikem> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 3 | CC: | jlieskov, mattdm, n3npq, pmatilai, vdanen | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-11-04 13:38:47 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 150222, 625756 | ||||||||
Attachments: |
|
Description
Michael Schröder
2004-06-08 13:57:07 UTC
Created attachment 100965 [details]
Proposed patch
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match. Hmm, good question. I leave it to your security group to decide if it's a security issue or not. For now, I've changed the product to FC3. Hmmm. I can see how that might be an issue. I'm going to clone this into Fedora Legacy as well as leaving in FC3. Thanks. Adding security group and flag - will look at thanks. This patch should probably be done in other ways, but is ok for what the patch does. Patch added to rpm cvs, should be in rpm-4.4.3-0.35 when built. (Argh, you didn't apply the chunk that removes the bits in the FSM_RENAME case! See bug #598775) Created attachment 419033 [details]
cvs diff
Patch to FSM_RENAME case was applied on 15 Nov 2005 20:06:53 exactly as stated.
Hmm, must have been a different branch. I just see the commit by Paul done Apr 16 13:26:12 2007, which doesn't contain it. rpm-4.4.2.3 also doesn't contain the FSM_RENAME part. Anyway, what's done is done. I don't want to do any finger pointing. You chose to add the comment here with "you" attached. And not a different branch, 4.4.2 (on which @rpm.org is based) != 4.4.3. (Turns out that maybe I'm the one to blame. I seem to have dropped the chunk by accident when porting the patch from 4.1.1 to 4.4.2, and Paul took it from out version. Hard to tell after such a long time.) Yes its been a long time and removing setuid/setgid (and capabilities and acls and ...) is a tedious issue which (if deserving of a CVE firedrill) also means that this rpmbuild issue also needs a CVE (imho its a far more serious issue): Name: tag with malicious syntax in spec files can be used to remove home directories: Name: foo;~ can trick rpmbuild into removing home directories and worse. Then there's %verifyscript that is run multiple times, and the flaw saving/restoring the chroot directory using embedded lua (also from you and incorrect). So it goes ... *shrug* ... Have fun! MITRE assigned the name CVE-2005-4889 to this issue. Applying the alias here as per bug #598775 comment #27. |