An unfortunate regression in rpm 4.14.2 causes --setperms to behave incorrectly on symbolic links: file and directory permissions become world writable and executable on symlink targets. A similar flaw exists in --setugids, but it is less exploitable.
If you have used --setperms (or --setugids, or --restore) with rpm 4.14.2, you should ensure system integrity with rpm --verify before proceeding to correct any mixed up permissions and ownerships to avoid possibly giving suid capabilities to a modified binary.
Further details of the --setperms bug available upstream: http://rpm.org/wiki/Releases/4.14.2.1
Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2018-89a3999673Please login to add feedback.
This update has been submitted for testing by pmatilai.
pmatilai edited this update.
This update has been pushed to testing.
works as usual
Works great! LGTM! =)
works
pmatilai edited this update.
No regressions found
works for me
Works after upgrade from F28 to F29.
no regressions noted
This update has been submitted for batched by pmatilai.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.