In response to CVE-2017-7500 and CVE-2017-7501, it was decided that the policy of RPM is "Only follow directory symlinks owned by target directory owner or root." . This check was only implemented for the parent directory of the file to be created. If an untrusted user owns another ancestor directory, the problem remains unfixed.
An actual exploit requires that a similar directory structure exists both at the location where RPM operates and for the files the attacker wants to get control over. Packages with such paths do exist in the real world, however. For example, in openSUSE both matomo and icinga2 ship a 'Pdo/Mysql.php' somewhere in the file system, with different ownership. A compromised 'matomo' user can create a symlink /srv/www/matomo/core/Tracker/Db ->
/usr/share/icingaweb2/library/vendor/Zend/Db/Adapter/ and on the next update of matomo, RPM would replace the 'Pdo/Mysql.php' of icinga2 and give ownership of it to the 'matomo' user.
A fix for this requires a messy ball of code using O_PATH to manually walk the whole directory structure and manually resolving symlinks, like in  and .
Created rpm tracking bugs for this issue:
Affects: fedora-all [bug 1977848]
This flaw, along with CVE-2021-35937 and CVE-2021-35938, belong to a set of complex issues that may allow an unprivileged user to trick RPM into modifying root-owned files during installation, due to race conditions and/or symlink attacks. These issues do not have a solution upstream. Fixing would require rather involved refactoring of RPM internals.
Note that in this context, unprivileged users are actually system accounts (like the pcpqa user mentioned in one of the SUSE bugs) that are usually more tightly controlled than ordinary users. In general, access to files and directories installed by RPMs requires high privileges. Regular users should not be allowed to manipulate RPM artifacts during installation. A local attacker would first need to compromise a system account in order to exploit these flaws, thus reducing the overall impact considerably.
This is considered fixed in RPM 4.18 (https://rpm.org/wiki/Releases/4.18.0) which is currently in alpha stage of the release process, final version is expected in Q3.
Upstream PR & commit: