It was found that rpm follows symlinks to files when installing packages which can be leveraged by local attackers to escalate their privileges when next package upgrade happens.
Name: Cedric Buissart (Red Hat)
To clarify : the issue affects rpmlib, thus other tools using rpmlib to install RPMs, such as yum and dnf, are affected too.
Created rpm tracking bugs for this issue:
Affects: fedora-all [bug 1467375]
Created attachment 1293925 [details]
1/3 Open newly created files with O_EXCL to make sure there is not a symlink already
Created attachment 1293926 [details]
2/3 Add check when reopening hard linked files
Created attachment 1293927 [details]
3/3 Open existing files with w+ to avoid messing up files if things go wrong.
Fixed upstream some time ago and now included in two releases: rpm 188.8.131.52 and 4.14.0.
The upstream patch is based on Florian's initial patches but differes in some details:
Obsoleting the attached patch to prevent confusion & adding the links to the bug description.
Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.