Specfile has unnecessary "fix-up" logic that should be removed
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
There are some commands in the specfile(s) that do some blind file operations that can be exploited by use of symlinks, and they're pretty much unnecessary nowadays since they date back to very old versions to update file ownership. They should be removed and the files reviewed for any other stale logic.
Environment
None
Activity
Scott Cantor March 5, 2020 at 5:09 PM
I don't see anything else currently warranted for removal from the specfile.
Scott Cantor February 5, 2020 at 4:07 PM
And for the record in case I need to refer more people to this, I do not consider this a security bug or anything significant enough to warrant a CVE and don't agree with the characterization.
Scott Cantor November 22, 2019 at 2:17 PM
SUSE chose to allocate a CVE for this, CVE-2019-19191
There are some commands in the specfile(s) that do some blind file operations that can be exploited by use of symlinks, and they're pretty much unnecessary nowadays since they date back to very old versions to update file ownership. They should be removed and the files reviewed for any other stale logic.