Blame SOURCES/0001-Fix-nasty-setperms-setugids-regression-in-4.14.2-RhB.patch

043c42
From 0d83637769b8a122b1e80f2e960ea1bbae8b4f10 Mon Sep 17 00:00:00 2001
043c42
Message-Id: <0d83637769b8a122b1e80f2e960ea1bbae8b4f10.1540199566.git.pmatilai@redhat.com>
043c42
From: Panu Matilainen <pmatilai@redhat.com>
043c42
Date: Mon, 22 Oct 2018 10:52:39 +0300
043c42
Subject: [PATCH] Fix nasty --setperms/--setugids regression in 4.14.2 (RhBug:
043c42
 1640470)
043c42
043c42
Commit 38c2f6e160d5ed3e9c3a266139c7eb2632724c15 causes --setperms and
043c42
--setugids follow symlinks instead of skipping them.
043c42
043c42
In case of --setperms, all encountered symlinks will have their
043c42
target file/directory permissions set to the 0777 of the link itself
043c42
(so world writable etc but suid/sgid stripped), temporarily or permanently,
043c42
depending on whether the symlink occurs before or after it's target in the
043c42
package file list. When the link occurs before its target, there's a short
043c42
window where the target is world writable before having it's permissions
043c42
reset to original, making it particularly bad for suid/sgid binaries.
043c42
043c42
--setugids is similarly affected with link targets owner/group changing
043c42
to that of the symlink.
043c42
043c42
Add missing parentheses to the conditions introduced in commit
043c42
38c2f6e160d5ed3e9c3a266139c7eb2632724c15 to fix.
043c42
Reported by Karel Srot, patch by Pavlina Moravcova Varekova.
043c42
---
043c42
 rpmpopt.in | 4 ++--
043c42
 1 file changed, 2 insertions(+), 2 deletions(-)
043c42
043c42
diff --git a/rpmpopt.in b/rpmpopt.in
043c42
index 8aaa91f11..42d3416a3 100644
043c42
--- a/rpmpopt.in
043c42
+++ b/rpmpopt.in
043c42
@@ -44,14 +44,14 @@ rpm	alias --scripts --qf '\
043c42
 	--POPTdesc=$"list install/erase scriptlets from package(s)"
043c42
 
043c42
 rpm	alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \
043c42
-        \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] || \
043c42
+        ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \
043c42
         chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \
043c42
 		   --pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \
043c42
 	--POPTdesc=$"set permissions of files in a package"
043c42
 
043c42
 rpm	alias --setugids -q --qf \
043c42
 	'[ch %{FILEUSERNAME:shescape} %{FILEGROUPNAME:shescape} %{FILENAMES:shescape} %{FILEFLAGS}\n]' \
043c42
-	--pipe "(echo 'ch() { \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] || \
043c42
+	--pipe "(echo 'ch() { ( \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] ) || \
043c42
 		(chown -h -- \"$1\" \"$3\";chgrp -h -- \"$2\" \"$3\";) }'; \
043c42
 		grep '^ch '|grep -v \(none\))|sh" \
043c42
 	--POPTdesc=$"set user/group ownership of files in a package"
043c42
-- 
043c42
2.17.2
043c42