rpm: code execution [LWN.net]

Package(s):

rpm

CVE #(s):

CVE-2012-0060 CVE-2012-0061 CVE-2012-0815

Created:

April 4, 2012

Updated:

May 7, 2012

Description:

The rpm utility has several parsing flaws that can be exploited via a malicious package file to crash the tool or execute arbitrary code. Importantly, the exploit can happen before the validation of the package file's digital signature, so the checks that would normally stop a hostile package file are ineffective here.

Alerts:

Debian-LTS	DLA-140-1	rpm	2015-01-28
Ubuntu	USN-1695-1	rpm	2013-01-17
Gentoo	201206-26	rpm	2012-06-24
openSUSE	openSUSE-SU-2012:0589-1	rpm, rpm-python	2012-05-07
openSUSE	openSUSE-SU-2012:0588-1	rpm, rpm-python	2012-05-07
Fedora	FEDORA-2012-5420	rpm	2012-04-22
Fedora	FEDORA-2012-5421	rpm	2012-04-22
Oracle	ELSA-2012-0451	rpm	2012-04-17
Mandriva	MDVSA-2012:056	rpm	2012-04-12
Scientific Linux	SL-rpm-20120404	rpm	2012-04-04
Oracle	ELSA-2012-0451	rpm	2012-04-03
Oracle	ELSA-2012-0451	rpm	2012-04-03
CentOS	CESA-2012:0451	rpm	2012-04-03
CentOS	CESA-2012:0451	rpm	2012-04-03
Red Hat	RHSA-2012:0451-01	rpm	2012-04-03

The LWN site is currently under high scraper load, so comment display has been suppressed for anonymous users. If you are a human, you may read the comments by clicking the button below:

Note: you can avoid this step in the future by logging into your LWN account.