Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154218 - app-arch/rpm: buffer overflow
Summary: app-arch/rpm: buffer overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] Falco
Depends on:
Reported: 2006-11-06 01:53 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-11-13 15:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-06 01:53:39 UTC
Hi Sanchan,

a vulnerability here against app-arch/rpm, fixed in CVS.

RPM Buffer Overflow Vulnerability



Less critical

DoS, System access

From remote

RPM Package Manager 4.x

A vulnerability has been reported in RPM, which can be exploited by
malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable system.

The vulnerability is caused due to a boundary error when processing
certain RPM packages. This can be exploited to cause a heap-based
buffer overflow by e.g. tricking a user into querying a specially
crafted RPM package.

Successful exploitation may allow the execution of arbitrary code,
but requires that certain locales are set (e.g. ru_RU.UTF-8).

Fixed in the CVS repository.

Vladimir Mosgalin

Comment 1 Sandro Bonazzola (RETIRED) gentoo-dev 2006-11-06 12:01:32 UTC
I'll try to have the fix in portage as soon as possible. The issue is not so critical beacuse rpm seems to be totally broken (bug #153974, #153292, #153280) and doesn't work at all. I'm trying to have at least one version working.
Another reason for the low level of severity is that the overflow vulnerability can be exployted only with LANG=ru_RU.UTF-8.
Comment 2 Sandro Bonazzola (RETIRED) gentoo-dev 2006-11-06 12:12:05 UTC
The provided patch:

apply without errors to 4.4.6-r2, I'm testing it right now the ebuild.
I'm going to try the patch also on 4.4.7 in the next 2 hours.
Comment 3 Sandro Bonazzola (RETIRED) gentoo-dev 2006-11-06 13:13:48 UTC
Upstream patch in portage for rpm 4.4.6 and 4.4.7, version bump for security fix.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-06 13:57:08 UTC
Thanks Sandro . This was really fast !
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 00:01:40 UTC
Since when do we mark (security-)bumped packages directly as stable?
Comment 6 Sandro Bonazzola (RETIRED) gentoo-dev 2006-11-07 11:16:47 UTC
(In reply to comment #5)
> Since when do we mark (security-)bumped packages directly as stable?

I don't know, but as far as I can remember it is the policy for security-bump of stable ebuilds.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-07 11:56:59 UTC
Tobias, Sandro just to clarify: it's usually up to the package maintainer wether to bump directly to stable or let arches do the stable marking.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 12:09:11 UTC
(In reply to comment #7)
> Tobias, Sandro just to clarify: it's usually up to the package maintainer
> wether to bump directly to stable or let arches do the stable marking.

Where's that documented?

I only knew (and still can only find) the process described here:
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-07 12:17:14 UTC
Tobias, yeah that is normal procedure. For very small fixes/very urgent issues maintainers sometimes bump directly to stable. 
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-07 12:22:06 UTC
Ok then ... I was just kinda confused as I'm watching bug-mails for the security@g.o alias now for nearly two years and can't remember seeing a bump directly to stable in that time.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-13 15:20:48 UTC
GLSA 200611-08, thanks everybody