commit trousers for openSUSE:Factory

Tue, 26 Nov 2019 08:06:43 -0800 

Hello community,

here is the log from the commit of package trousers for openSUSE:Factory 
checked in at 2019-11-26 17:05:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/trousers (Old)
 and      /work/SRC/openSUSE:Factory/.trousers.new.26869 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "trousers"

Tue Nov 26 17:05:11 2019 rev:42 rq:750985 version:0.3.14

Changes:
--------
--- /work/SRC/openSUSE:Factory/trousers/trousers.changes        2019-09-10 
00:04:43.649202475 +0200
+++ /work/SRC/openSUSE:Factory/.trousers.new.26869/trousers.changes     
2019-11-26 17:06:13.707968439 +0100
@@ -1,0 +2,8 @@
+Tue Nov 26 09:14:39 UTC 2019 - matthias.gerst...@suse.com
+
+- Fix a local symlink attack problem with the %posttrans scriptlet
+  (bsc#1157651, CVE-2019-18898). A rogue tss user could have used this attack
+  to gain ownership of arbitrary files in the system during
+  installation/update of the trousers package.
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ trousers.spec ++++++
--- /var/tmp/diff_new_pack.7m7sBL/_old  2019-11-26 17:06:14.339968221 +0100
+++ /var/tmp/diff_new_pack.7m7sBL/_new  2019-11-26 17:06:14.343968220 +0100
@@ -118,7 +118,7 @@
 
 %pretrans
 # this scriplet and the counterpart in %posttrans work around a packaging bug
-# that was present in all trousers packages since around 2008.
+# that was present in all trousers packages since around 2008 until 2018.
 # /var/lib/tpm/system.data.* was wrongly packaged as runtime state data
 # instead of package resource data in /usr/share. After removal of these files
 # from packaging, during updating they will be deleted. Since users could have
@@ -152,8 +152,8 @@
        [ -e "${file}" ] && continue
        # restore the original file
        echo "restoring backup of $file"
-       mv ${file}.rpmsave ${file}
-       chown tss:tss "${file}"
+       mv --no-target-directory ${file}.rpmsave ${file}
+       chown --no-dereference tss:tss "${file}"
 done
 
 %postun

Reply via email to