Rapid7 Vulnerability & Exploit Database

RHSA-2012:0451: rpm security update

Back to Search

RHSA-2012:0451: rpm security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
04/03/2012
Created
07/25/2018
Added
04/16/2012
Modified
07/04/2017

Description

The RPM Package Manager (RPM) is a command-line driven package managementsystem capable of installing, uninstalling, verifying, querying, andupdating software packages.Multiple flaws were found in the way RPM parsed package file headers. Anattacker could create a specially-crafted RPM package that, when itspackage header was accessed, or during package signature verification,could cause an application using the RPM library (such as the rpm commandline tool, or the yum and up2date package managers) to crash or,potentially, execute arbitrary code. (CVE-2012-0060, CVE-2012-0061,CVE-2012-0815)Note: Although an RPM package can, by design, execute arbitrary code wheninstalled, this issue would allow a specially-crafted RPM package toexecute arbitrary code before its digital signature has been verified.Package downloads from the Red Hat Network are protected by the use of asecure HTTPS connection in addition to the RPM package signature checks.All RPM users should upgrade to these updated packages, which contain abackported patch to correct these issues. All running applications linkedagainst the RPM library must be restarted for this update to take effect.

Solution(s)

  • redhat-upgrade-popt
  • redhat-upgrade-rpm
  • redhat-upgrade-rpm-apidocs
  • redhat-upgrade-rpm-build
  • redhat-upgrade-rpm-cron
  • redhat-upgrade-rpm-debuginfo
  • redhat-upgrade-rpm-devel
  • redhat-upgrade-rpm-libs
  • redhat-upgrade-rpm-python

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;