+++ This bug was initially created as a clone of Bug #125517 +++ Reported by Michael Schröder: If a malicious creates a hardlink to a buggy s-bit program the system is still compromised even after a fixed version has been installed. The attached fix removes the s-bits from files that get updated. Note that bug #125517 has a patch.
I'm not authorized to view bug #125517, sigh. Either mail the patch to me or <rpm-devel.duke.edu> and I will include in rpm.
I added you to the CC list of that bug; not sure if this bugzilla is set up so that helps, but I presume it does.
Patch added in rpm-4.4.3