RPM: Multiple vulnerabilities — GLSA 201206-26

Multiple vulnerabilities have been found in RPM, possibly allowing local attackers to gain elevated privileges or remote attackers to execute arbitrary code.

Affected Packages

app-arch/rpm on all architectures
Affected versions < 4.9.1.3
Unaffected versions >= 4.9.1.3

Background

The Red Hat Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages.

Description

Multiple vulnerabilities have been found in RPM:

  • fsm.c fails to properly strip setuid and setgid bits from executable files during a package upgrade (CVE-2010-2059).
  • RPM does not properly parse spec files (CVE-2010-2197).
  • fsm.c fails to properly strip POSIX file capabilities from executable files during a package upgrade or removal (CVE-2010-2198).
  • fsm.c fails to properly strip POSIX ACLs from executable files during a package upgrade or removal (CVE-2010-2199).
  • header.c does not properly parse region offsets in package files (CVE-2011-3378).
  • RPM does not properly sanitize region tags in package headers (CVE-2012-0060).
  • RPM does not properly sanitize region sizes in package headers (CVE-2012-0061).
  • RPM does not properly sanitize region offsets in package headers(CVE-2012-0815).

Impact

A local attacker may be able to gain elevated privileges. Furthermore, a remote attacker could entice a user to open a specially crafted RPM package, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All RPM users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/rpm-4.9.1.3"
 

References

Release Date
June 24, 2012

Latest Revision
June 24, 2012: 1

Severity
high

Exploitable
local, remote

Bugzilla entries