Security update for rpm SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2215-1 Final 1 1 2018-08-06T08:49:14Z current 2018-08-06T08:49:14Z 2018-08-06T08:49:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rpm This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00016.html E-Mail link for openSUSE-SU-2018:2215-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 python-rpm-4.14.1-lp150.9.3.1 python2-rpm-4.14.1-lp150.9.3.1 python3-rpm-4.14.1-lp150.9.3.1 rpm-4.14.1-lp150.9.3.1 rpm-32bit-4.14.1-lp150.9.3.1 rpm-build-4.14.1-lp150.9.3.1 rpm-devel-4.14.1-lp150.9.3.1 python-rpm-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 python2-rpm-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 python3-rpm-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 rpm-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 rpm-32bit-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 rpm-build-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 rpm-devel-4.14.1-lp150.9.3.1 as a component of openSUSE Leap 15.0 It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege. CVE-2017-7500 openSUSE Leap 15.0:python-rpm-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:python2-rpm-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:python3-rpm-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:rpm-32bit-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:rpm-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:rpm-build-4.14.1-lp150.9.3.1 openSUSE Leap 15.0:rpm-devel-4.14.1-lp150.9.3.1 important 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00016.html https://www.suse.com/security/cve/CVE-2017-7500.html CVE-2017-7500 https://bugzilla.suse.com/943457 SUSE Bug 943457 https://bugzilla.suse.com/964063 SUSE Bug 964063