154218 2006-11-06 01:53 0000 app-arch/rpm: buffer overflow 2006-11-13 15:20:48 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/22740/ B2 [glsa] Falco P2 normal --- 1 falco@gentoo.org security@gentoo.org sanchan@gentoo.org falco@gentoo.org 2006-11-06 01:53:39 0000 Hi Sanchan, a vulnerability here against app-arch/rpm, fixed in CVS. TITLE: RPM Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA22740 VERIFY ADVISORY: http://secunia.com/advisories/22740/ CRITICAL: Less critical IMPACT: DoS, System access WHERE: From remote SOFTWARE: RPM Package Manager 4.x http://secunia.com/product/12490/ DESCRIPTION: A vulnerability has been reported in RPM, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing certain RPM packages. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into querying a specially crafted RPM package. Successful exploitation may allow the execution of arbitrary code, but requires that certain locales are set (e.g. ru_RU.UTF-8). SOLUTION: Fixed in the CVS repository. PROVIDED AND/OR DISCOVERED BY: Vladimir Mosgalin ORIGINAL ADVISORY: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212833 sanchan@gentoo.org 2006-11-06 12:01:32 0000 I'll try to have the fix in portage as soon as possible. The issue is not so critical beacuse rpm seems to be totally broken (bug #153974, #153292, #153280) and doesn't work at all. I'm trying to have at least one version working. Another reason for the low level of severity is that the overflow vulnerability can be exployted only with LANG=ru_RU.UTF-8. sanchan@gentoo.org 2006-11-06 12:12:05 0000 The provided patch: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=139715 apply without errors to 4.4.6-r2, I'm testing it right now the ebuild. I'm going to try the patch also on 4.4.7 in the next 2 hours. sanchan@gentoo.org 2006-11-06 13:13:48 0000 Upstream patch in portage for rpm 4.4.6 and 4.4.7, version bump for security fix. falco@gentoo.org 2006-11-06 13:57:08 0000 Thanks Sandro . This was really fast ! dertobi123@gentoo.org 2006-11-07 00:01:40 0000 Since when do we mark (security-)bumped packages directly as stable? sanchan@gentoo.org 2006-11-07 11:16:47 0000 (In reply to comment #5) > Since when do we mark (security-)bumped packages directly as stable? > I don't know, but as far as I can remember it is the policy for security-bump of stable ebuilds. jaervosz@gentoo.org 2006-11-07 11:56:59 0000 Tobias, Sandro just to clarify: it's usually up to the package maintainer wether to bump directly to stable or let arches do the stable marking. dertobi123@gentoo.org 2006-11-07 12:09:11 0000 (In reply to comment #7) > Tobias, Sandro just to clarify: it's usually up to the package maintainer > wether to bump directly to stable or let arches do the stable marking. Where's that documented? I only knew (and still can only find) the process described here: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap4_sect1 jaervosz@gentoo.org 2006-11-07 12:17:14 0000 Tobias, yeah that is normal procedure. For very small fixes/very urgent issues maintainers sometimes bump directly to stable. dertobi123@gentoo.org 2006-11-07 12:22:06 0000 Ok then ... I was just kinda confused as I'm watching bug-mails for the security@g.o alias now for nearly two years and can't remember seeing a bump directly to stable in that time. falco@gentoo.org 2006-11-13 15:20:48 0000 GLSA 200611-08, thanks everybody