[Rpm-maint] [rpm-software-management/rpm] First steps towards fixing the symlink CVEs (PR #1919)
Demi Marie Obenour
notifications at github.com
Thu Feb 10 16:47:02 UTC 2022
@DemiMarie commented on this pull request.
On Linux, using `openat2()` will be much simpler and more efficient on kernels that support it. RPM is not Linux-specific, but `openat2()` might be useful where available.
> @@ -103,6 +103,8 @@ option to configure). For GCC, OpenMP 4.5 is fully supported since GCC 6.1,
which is available from
http://www.gnu.org/
+Rpm requires a POSIX.1-2008 level operating system.
```suggestion
RPM requires a POSIX.1-2008 level operating system.
```
> (rc < 0 ? strerror(errno) : ""));
if (rc < 0) rc = RPMERR_MKDIR_FAILED;
return rc;
}
+static int fsmOpenat(int dirfd, const char *path, int flags)
+{
+ struct stat lsb, sb;
+ int sflags = flags | O_NOFOLLOW;
+ int fd = openat(dirfd, path, sflags);
+
+ /*
+ * Only ever follow symlinks by root or target owner. Since we can't
+ * open the symlink itself, the order matters: we stat the link *after*
Would Linux `O_PATH` help?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1919#pullrequestreview-879125535
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1919/review/879125535 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220210/da73ac17/attachment-0001.html>
More information about the Rpm-maint
mailing list