Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 384967 (CVE-2011-3378)

Summary: <app-arch/rpm-4.9.1.2 Region Offset Parsing Vulnerabilities (CVE-2011-3378)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sochotnicky
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/46096/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 406479    
Bug Blocks: 335880    

Description Agostino Sarubbo gentoo-dev 2011-09-29 18:44:06 UTC 
From secunia security advisory at $URL:

Description:
1) A boundary error within the "headerLoad()" function (lib/header.c) when parsing region offsets can be exploited to cause a buffer overflow by tricking a user into e.g. checking signatures of a specially crafted RPM package.

2) An error within the "regionSwab()" function (lib/header.c) when parsing region offsets can be exploited to corrupt memory by tricking a user into e.g. checking signatures of a specially crafted RPM package.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Solution:
Update to version 4.9.1.2.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-25 03:58:28 UTC 
CVE-2011-3378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3378):
  RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to
  cause a denial of service (memory corruption) and possibly execute arbitrary
  code via an rpm package with crafted headers and offsets that are not
  properly handled when a package is queried or installed, related to (1) the
  regionSwab function, (2) the headerLoad function, and (3) multiple functions
  in rpmio/rpmpgp.c.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-01 18:01:08 UTC 
can we stabilize =app-arch/rpm-4.9.1.2 ?
Comment 3 Stanislav Ochotnicky (RETIRED) gentoo-dev 2012-03-01 20:43:15 UTC 
Trouble is rpm-4.9.1.2 has been in the tree only for a few days. I wanted it to get a bit more testing, but I guess something is better than nothing. Sadly we didn't have any testing of newer rpms on several architectures where older rpm has been stabilized so it will still affect users of those architectures.

I'll file a stabilization bug
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-03-01 21:15:26 UTC 
(In reply to comment #3)
> 
> I'll file a stabilization bug

Thank you. The preference is to do stabilization in the security bug itself. No need to change it this time, but just for future reference.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-25 14:53:37 UTC 
Stabilization completed in bug 406479. GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 23:08:40 UTC 
This issue was resolved and addressed in
 GLSA 201206-26 at http://security.gentoo.org/glsa/glsa-201206-26.xml
by GLSA coordinator Sean Amoss (ackle).