CVE-2017-7501(https://nvd.nist.gov/vuln/detail/CVE-2017-7501): It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation. Upstream Patch:https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc @maintainer(s): after bump, please call for stabilization when ready, thank you. Gentoo Security Padawan (jmbailey/mbailey_j)
-----Begin Update----- Summary of changes from RPM 4.13.0.2 Security fixes Revised fix for CVE-2017-7501 for more robust hardlink handling (RhBug:1514608) General bugfixes Fix file lists getting fed to file triggers multiple times (#370) Fix not all %transfiletriggerpostun file triggers executing (RhBug:1514085) Fix file triggers executing before file fingerprinting Fix file triggers firing on non-installed files Fix file signatures failing on hardlinked files (#333) Package building Fix signature header sometimes corrupting main header on > 4GB packages (#379) Fix non-standard inherented modes of directories in debuginfo (RhBug:641022) Internal improvements Fix header not available during RPMCALLBACK_ELEM_PROGRESS callback Fix header not available during file trigger scriptlet callbacks (RhBug:1485389) Fix various file trigger scriptlet diagnostics showing “unknown” + other minor file trigger diagnostic improvements Build process Some new testcases -----End Update------ Last Modified: March 29, 2018, 5:07:39 AM EDT
This issue was resolved and addressed in GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22 by GLSA coordinator Aaron Bauman (b-man).
