Joined: 12 May 2004
|Posted: Mon Nov 13, 2006 11:26 pm Post subject: [ GLSA 200611-08 ] RPM: Buffer overflow
|Gentoo Linux Security Advisory
Title: RPM: Buffer overflow (GLSA 200611-08)
Date: November 13, 2006
RPM is vulnerable to a buffer overflow and possibly the execution of
arbitrary code when opening specially crafted packages.
The Red Hat Package Manager (RPM) is a command line driven package
management system capable of installing, uninstalling, verifying,
querying, and updating computer software packages.
Vulnerable: < 4.4.6-r3
Unaffected: >= 4.4.6-r3
Architectures: All supported architectures
Vladimir Mosgalin has reported that when processing certain packages,
RPM incorrectly allocates memory for the packages, possibly causing a
heap-based buffer overflow.
An attacker could entice a user to open a specially crafted RPM package
and execute code with the privileges of that user if certain locales
There is no known workaround at this time.
All RPM users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/rpm-4.4.6-r3"
Last edited by GLSA on Mon May 30, 2011 4:23 am; edited 2 times in total