RPM 4.14.2.1 Release Notes

Download information

  • rpm-4.14.2.1.tar.bz2 source
  • SHA256SUM: 1139c24b7372f89c0a697096bf9809be70ba55e006c23ff47305c1849d98acda

Summary of changes from RPM 4.14.2

Security fixes

  • Fix regression in –setperms, –setugids and –restore (RhBug:1640470) in 4.14.2:

    In case of –setperms, all encountered symlinks would have their target file/directory permissions set to the 0777 of the link itself (so world writable etc but suid/sgid stripped), temporarily or permanently, depending on whether the symlink occurs before or after it’s target in the package file list. When the link occurs before its target, there’s a short window where the target is world writable before having it’s permissions reset to original, making it particularly bad for suid/sgid binaries.

    –setugids was similarly affected with link targets owner/group changing to that of the symlink.

    –restore was affected as it utilizes –setperms and –setugids to do it’s task.

    Note that this update can not automatically fix possible damage done by using –setperms, –setugids or –restore with rpm 4.14.2, it merely fixes the functionlity itself. Any damage needs to be investigated and fixed manually, such as using –verify and –restore or reinstalling packages.

General bugfixes

  • Fix package verification memory leak introduced in 4.14.2
  • Fix long-standing Python GIL locking bug
  • Fix long-standing broken library path of embedded Lua