2010/1/18 Jiri Moskovcak <jmoskovc@xxxxxxxxxx>: > On 01/18/2010 01:28 PM, Thomas Moschny wrote: >> 2010/1/18 Jiri Moskovcak<jmoskovc@xxxxxxxxxx>: >>> ABRT used to do this (and still can, it's just disabled), but rpm -V uses >>> prelink to un-prelink the binaries to check the MD5 sum and security guys >>> don't like it. >> >> Can you explain what's the security problem here? >> The outcome would be a boolean and a reject to send the report (or at >> least a big warning). >> >> - Thomas > > The problem is during the "un-prelink" part, please see this BZs: 546572, > 546350, 546987, 546772 Not sure I get it. Am I understanding it correctly that prelink -y (which is called by rpm -V) writes the 'original', un-prelinked binary somewhere (surely a temporary location) and this is considered insecure? But an ordinary user can call rpm -V any time. - Thomas -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel