Fedora 27 : rpm (2018-2c9120d494)

high Nessus Plugin ID 118857

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

An unfortunate regression in rpm 4.14.2 causes --setperms to behave incorrectly on symbolic links: file and directory permissions become world-writable and executable on symlink targets. A similar flaw exists in --setugids, but it is less exploitable.

If you have used --setperms (or --setugids, or --restore) with rpm 4.14.2, you should ensure system integrity with rpm --verify before proceeding to correct any mixed up permissions and ownerships to avoid possibly giving suid capabilities to a modified binary.

Further details of the --setperms bug available upstream:
http://rpm.org/wiki/Releases/4.14.2.1

**Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.**

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected rpm package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2018-2c9120d494

Plugin Details

Severity: High

ID: 118857

File Name: fedora_2018-2c9120d494.nasl

Version: 1.4

Type: local

Agent: unix

Published: 11/11/2018

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:rpm, cpe:/o:fedoraproject:fedora:27

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 11/10/2018

Vulnerability Publication Date: 11/10/2018

Reference Information