Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638636 (CVE-2017-7501)

Summary: <app-arch/rpm-4.14.1: Denial of service
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed, suse
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://rpm.org/wiki/Releases/4.13.1
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 533740    
Bug Blocks:    

Description D'juan McDonald (domhnall) 2017-11-23 20:01:38 UTC
CVE-2017-7501(https://nvd.nist.gov/vuln/detail/CVE-2017-7501):

It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.

Upstream Patch:https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc

@maintainer(s): after bump, please call for stabilization when ready, thank you.



Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 1 D'juan McDonald (domhnall) 2018-05-28 18:47:59 UTC
-----Begin Update-----

Summary of changes from RPM 4.13.0.2
Security fixes

    Revised fix for CVE-2017-7501 for more robust hardlink handling (RhBug:1514608)

General bugfixes

    Fix file lists getting fed to file triggers multiple times (#370)
    Fix not all %transfiletriggerpostun file triggers executing (RhBug:1514085)
    Fix file triggers executing before file fingerprinting
    Fix file triggers firing on non-installed files
    Fix file signatures failing on hardlinked files (#333)

Package building

    Fix signature header sometimes corrupting main header on > 4GB packages (#379)
    Fix non-standard inherented modes of directories in debuginfo (RhBug:641022)

Internal improvements

    Fix header not available during RPMCALLBACK_ELEM_PROGRESS callback
    Fix header not available during file trigger scriptlet callbacks (RhBug:1485389)
    Fix various file trigger scriptlet diagnostics showing “unknown” + other minor file trigger diagnostic improvements

Build process

    Some new testcases
-----End Update------


Last Modified: March 29, 2018, 5:07:39 AM EDT
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-11-28 22:54:39 UTC
This issue was resolved and addressed in
 GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22
by GLSA coordinator Aaron Bauman (b-man).