2010/1/18 Jiri Moskovcak <jmoskovc(a)redhat.com>:
On 01/18/2010 01:28 PM, Thomas Moschny wrote:
> 2010/1/18 Jiri Moskovcak<jmoskovc(a)redhat.com>:
>> ABRT used to do this (and still can, it's just disabled), but rpm -V uses
>> prelink to un-prelink the binaries to check the MD5 sum and security guys
>> don't like it.
>
> Can you explain what's the security problem here?
> The outcome would be a boolean and a reject to send the report (or at
> least a big warning).
>
> - Thomas
The problem is during the "un-prelink" part, please see this BZs: 546572,
546350, 546987, 546772
Not sure I get it. Am I understanding it correctly that prelink -y
(which is called by rpm -V) writes the 'original', un-prelinked binary
somewhere (surely a temporary location) and this is considered
insecure?
But an ordinary user can call rpm -V any time.
- Thomas