Описание
Security update for rpm
This update for rpm fixes the following issues:
This security vulnerability was fixed:
- CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15
python2-rpm-4.14.1-10.3.1
python3-rpm-4.14.1-10.3.1
rpm-4.14.1-10.3.1
rpm-32bit-4.14.1-10.3.1
rpm-devel-4.14.1-10.3.1
SUSE Linux Enterprise Module for Development Tools 15
rpm-build-4.14.1-10.3.1
Ссылки
- Link for SUSE-SU-2018:2073-1
- E-Mail link for SUSE-SU-2018:2073-1
- SUSE Security Ratings
- SUSE Bug 1094735
- SUSE Bug 1095148
- SUSE Bug 943457
- SUSE CVE CVE-2017-7500 page
Описание
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15:python2-rpm-4.14.1-10.3.1
SUSE Linux Enterprise Module for Basesystem 15:python3-rpm-4.14.1-10.3.1
SUSE Linux Enterprise Module for Basesystem 15:rpm-32bit-4.14.1-10.3.1
SUSE Linux Enterprise Module for Basesystem 15:rpm-4.14.1-10.3.1
Ссылки
- CVE-2017-7500
- SUSE Bug 1126909
- SUSE Bug 1135195
- SUSE Bug 1157882
- SUSE Bug 1157883
- SUSE Bug 943457
- SUSE Bug 964063