(In reply to comment #7)
> MITRE assigned these CVEs. We can certainly dispute the CVE assignment if we
> feel it is in error.
Please do, and close this bug as NOTABUG. POSIX ACLs do not permit privilege escalation, so there is no need to clear them, period.
> If rpm doesn't set POSIX ACLs then we probably should dispute it (regardless of
> the other capabilities because each of those has their own CVE name). It can't
> be a vulnerability if rpm never sets them (and I don't think we can call it a
> vulnerability in rpm if an admin sets a POSIX ACL, the file gets hardlinked,
> and rpm doesn't remove the ACLs that a) it never set and b) doesn't know
> about).
With respect to attributes that do permit privilege escalation, the opposite stance is taken in bug 598775 comment #16, second paragraph.
(In reply to comment #7)
> MITRE assigned these CVEs. We can certainly dispute the CVE assignment if we
> feel it is in error.
Please do, and close this bug as NOTABUG. POSIX ACLs do not permit privilege escalation, so there is no need to clear them, period.
> If rpm doesn't set POSIX ACLs then we probably should dispute it (regardless of
> the other capabilities because each of those has their own CVE name). It can't
> be a vulnerability if rpm never sets them (and I don't think we can call it a
> vulnerability in rpm if an admin sets a POSIX ACL, the file gets hardlinked,
> and rpm doesn't remove the ACLs that a) it never set and b) doesn't know
> about).
With respect to attributes that do permit privilege escalation, the opposite stance is taken in bug 598775 comment #16, second paragraph.