Description: "A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability." Patch: https://github.com/rpm-software-management/rpm/pull/1500 Note that the rpmdb is going to be a root only resource anyway so this is a bit niche in terms of exploitability.
(In reply to Sam James from comment #0) > Patch: https://github.com/rpm-software-management/rpm/pull/1500 > https://github.com/rpm-software-management/rpm/commit/8f4b3c3cab8922a2022b9e47c71f1ecf906077ef Fixed in 4.16.1.3.
Shall we stable?
Oops, stabilization was done in bug 778533. Please cleanup.
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-43 at https://security.gentoo.org/glsa/202107-43 by GLSA coordinator John Helmert III (ajak).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9517266013b80bf8e96445a63cf25e27831eb793 commit 9517266013b80bf8e96445a63cf25e27831eb793 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-07-25 21:25:01 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-26 03:12:57 +0000 app-arch/rpm: drop 4.14.2.1-r1, 4.16.0 Bug: https://bugs.gentoo.org/778533 Bug: https://bugs.gentoo.org/787944 Signed-off-by: John Helmert III <ajak@gentoo.org> app-arch/rpm/Manifest | 2 - app-arch/rpm/files/rpm-4.11.0-autotools.patch | 14 --- app-arch/rpm/files/rpm-4.16.0-libdir.patch | 34 ------ app-arch/rpm/files/rpm-4.9.1.2-libdir.patch | 31 ------ app-arch/rpm/rpm-4.14.2.1-r1.ebuild | 141 ------------------------ app-arch/rpm/rpm-4.16.0.ebuild | 153 -------------------------- 6 files changed, 375 deletions(-)