[Rpm-maint] [rpm-software-management/rpm] First steps towards fixing the symlink CVEs (PR #1919)

Panu Matilainen notifications at github.com
Fri Feb 11 06:50:58 UTC 2022


@pmatilai commented on this pull request.



>  	       (rc < 0 ? strerror(errno) : ""));
     if (rc < 0)	rc = RPMERR_MKDIR_FAILED;
     return rc;
 }
 
+static int fsmOpenat(int dirfd, const char *path, int flags)
+{
+    struct stat lsb, sb;
+    int sflags = flags | O_NOFOLLOW;
+    int fd = openat(dirfd, path, sflags);
+
+    /*
+     * Only ever follow symlinks by root or target owner. Since we can't
+     * open the symlink itself, the order matters: we stat the link *after*

Rpm is not Linux-only.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1919#discussion_r804391795
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1919/review/879819819 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220210/734465f6/attachment.html>


More information about the Rpm-maint mailing list