Hello community, here is the log from the commit of package trousers for openSUSE:Factory checked in at 2019-11-26 17:05:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trousers (Old) and /work/SRC/openSUSE:Factory/.trousers.new.26869 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trousers" Tue Nov 26 17:05:11 2019 rev:42 rq:750985 version:0.3.14 Changes: -------- --- /work/SRC/openSUSE:Factory/trousers/trousers.changes 2019-09-10 00:04:43.649202475 +0200 +++ /work/SRC/openSUSE:Factory/.trousers.new.26869/trousers.changes 2019-11-26 17:06:13.707968439 +0100 @@ -1,0 +2,8 @@ +Tue Nov 26 09:14:39 UTC 2019 - matthias.gerst...@suse.com + +- Fix a local symlink attack problem with the %posttrans scriptlet + (bsc#1157651, CVE-2019-18898). A rogue tss user could have used this attack + to gain ownership of arbitrary files in the system during + installation/update of the trousers package. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trousers.spec ++++++ --- /var/tmp/diff_new_pack.7m7sBL/_old 2019-11-26 17:06:14.339968221 +0100 +++ /var/tmp/diff_new_pack.7m7sBL/_new 2019-11-26 17:06:14.343968220 +0100 @@ -118,7 +118,7 @@ %pretrans # this scriplet and the counterpart in %posttrans work around a packaging bug -# that was present in all trousers packages since around 2008. +# that was present in all trousers packages since around 2008 until 2018. # /var/lib/tpm/system.data.* was wrongly packaged as runtime state data # instead of package resource data in /usr/share. After removal of these files # from packaging, during updating they will be deleted. Since users could have @@ -152,8 +152,8 @@ [ -e "${file}" ] && continue # restore the original file echo "restoring backup of $file" - mv ${file}.rpmsave ${file} - chown tss:tss "${file}" + mv --no-target-directory ${file}.rpmsave ${file} + chown --no-dereference tss:tss "${file}" done %postun