The following flaw was found in man-db: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. Originally filed against Ubuntu: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1482786 External References: http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
Created man-db tracking bugs for this issue: Affects: fedora-all [bug 1292433]
Hello, It appears to me that Fedora and RHEL7 man-db packages are not affected by this, since there is no cleanup job for old catman pages there: http://pkgs.fedoraproject.org/cgit/man-db.git/tree/man-db.crondaily?h=f23
Nikola's comment above is correct: man-db in rhel and fedora are not affected. The man-db crontab in both doesn't chown thus lacks the TOCTOU issue, plus (at least on rhel) /var/cache/man lacks the setgid bit which makes the other part of this attack possible.