ABRT frustrating for users and developers
Thomas Moschny
thomas.moschny at gmail.com
Mon Jan 18 12:57:36 UTC 2010
2010/1/18 Jiri Moskovcak <jmoskovc at redhat.com>:
> On 01/18/2010 01:28 PM, Thomas Moschny wrote:
>> 2010/1/18 Jiri Moskovcak<jmoskovc at redhat.com>:
>>> ABRT used to do this (and still can, it's just disabled), but rpm -V uses
>>> prelink to un-prelink the binaries to check the MD5 sum and security guys
>>> don't like it.
>>
>> Can you explain what's the security problem here?
>> The outcome would be a boolean and a reject to send the report (or at
>> least a big warning).
>>
>> - Thomas
>
> The problem is during the "un-prelink" part, please see this BZs: 546572,
> 546350, 546987, 546772
Not sure I get it. Am I understanding it correctly that prelink -y
(which is called by rpm -V) writes the 'original', un-prelinked binary
somewhere (surely a temporary location) and this is considered
insecure?
But an ordinary user can call rpm -V any time.
- Thomas
More information about the devel
mailing list