[Rpm-maint] [rpm-software-management/rpm] First steps towards fixing the symlink CVEs (PR #1919)
Panu Matilainen
notifications at github.com
Fri Feb 11 06:50:58 UTC 2022
@pmatilai commented on this pull request.
> (rc < 0 ? strerror(errno) : ""));
if (rc < 0) rc = RPMERR_MKDIR_FAILED;
return rc;
}
+static int fsmOpenat(int dirfd, const char *path, int flags)
+{
+ struct stat lsb, sb;
+ int sflags = flags | O_NOFOLLOW;
+ int fd = openat(dirfd, path, sflags);
+
+ /*
+ * Only ever follow symlinks by root or target owner. Since we can't
+ * open the symlink itself, the order matters: we stat the link *after*
Rpm is not Linux-only.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1919#discussion_r804391795
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1919/review/879819819 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220210/734465f6/attachment.html>
More information about the Rpm-maint
mailing list