Comment 9 for bug 634183

Wrong? Perhaps you should add some karma to these bug reports ... ah
bugzilla doesn't have negative karma ...

The mechanism for the escalation vector for all of
    setuid/setgid has CVE (and ancient fix resurrected)
    capabilities has CVS (and current fix)
    ACL's "wrong"
    XATTR's SE Linux uses these
is identical:

   Robert uses RPM to install a file on a path attaching metadata to inode.
   Malicious Mark (or Sysadmin Susie) creates a hardlink to the file.
   Robert removes the package and RPM removes the file it created.

Either _ALL_ or _NONE_ of the metadata cleanup issues that are left attached to Mark's
hardlink that (possibly) can be used as escalation vectors need to be addressed by RPM.
Nothing else makes logical sense.

Which was one point in comment #13 in #125517. Another point is that there
are far more severe problems in RPM including that syntax errors like
    Name: foo;~
in spec files can be used to trick rpmbuild into removing home directories and worse.

Who decides what issues get CVE's and which do not? Damfino.