GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Nov 13, 2006 11:26 pm Post subject: [ GLSA 200611-08 ] RPM: Buffer overflow |
|
|
Gentoo Linux Security Advisory
Title: RPM: Buffer overflow (GLSA 200611-08)
Severity: normal
Exploitable: remote
Date: November 13, 2006
Bug(s): #154218
ID: 200611-08
Synopsis
RPM is vulnerable to a buffer overflow and possibly the execution of
arbitrary code when opening specially crafted packages.
Background
The Red Hat Package Manager (RPM) is a command line driven package
management system capable of installing, uninstalling, verifying,
querying, and updating computer software packages.
Affected Packages
Package: app-arch/rpm
Vulnerable: < 4.4.6-r3
Unaffected: >= 4.4.6-r3
Architectures: All supported architectures
Description
Vladimir Mosgalin has reported that when processing certain packages,
RPM incorrectly allocates memory for the packages, possibly causing a
heap-based buffer overflow.
Impact
An attacker could entice a user to open a specially crafted RPM package
and execute code with the privileges of that user if certain locales
are set.
Workaround
There is no known workaround at this time.
Resolution
All RPM users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/rpm-4.4.6-r3" |
References
CVE-2006-5466
Last edited by GLSA on Mon May 30, 2011 4:23 am; edited 2 times in total |
|