It was found that versions of rpm before 184.108.40.206 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
@maintainer(s): after bump, please call for stabilization when ready, thank you.
Gentoo Security Padawan
Summary of changes from RPM 220.127.116.11
Revised fix for CVE-2017-7501 for more robust hardlink handling (RhBug:1514608)
Fix file lists getting fed to file triggers multiple times (#370)
Fix not all %transfiletriggerpostun file triggers executing (RhBug:1514085)
Fix file triggers executing before file fingerprinting
Fix file triggers firing on non-installed files
Fix file signatures failing on hardlinked files (#333)
Fix signature header sometimes corrupting main header on > 4GB packages (#379)
Fix non-standard inherented modes of directories in debuginfo (RhBug:641022)
Fix header not available during RPMCALLBACK_ELEM_PROGRESS callback
Fix header not available during file trigger scriptlet callbacks (RhBug:1485389)
Fix various file trigger scriptlet diagnostics showing “unknown” + other minor file trigger diagnostic improvements
Some new testcases
Last Modified: March 29, 2018, 5:07:39 AM EDT
This issue was resolved and addressed in
GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22
by GLSA coordinator Aaron Bauman (b-man).