Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make verification match the new restricted directory symlink behavior
Only follow directory symlinks owned by target directory owner or root during verification to match the behavior of fsmVerify() in the new CVE-2017-7500 world order. The code is klunkier than it should and the logic should use common code with fsmVerify() instead of duplicating it here, but that needs more changes than is comfortable to backport so starting with this. Also worth noting that the previous "follow the link" logic from commit 3ccd774 was not quite right, it'd fail with RPMVERIFY_LSTATFAIL on a broken symlink when it should've ran verification on the symlink itself. This behavior is fixed here too. Finally, once again fakechroot gets in the way and forces the related verify testcase to be changed to be able to create a valid link. Reuse the replacement testcase for the purpose and add another case for verifying an invalid link.
- Loading branch information
Showing
2 changed files
with
59 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters