Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638636 (CVE-2017-7501) - <app-arch/rpm-4.14.1: Denial of service
Summary: <app-arch/rpm-4.14.1: Denial of service
Status: RESOLVED FIXED
Alias: CVE-2017-7501
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://rpm.org/wiki/Releases/4.13.1
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: CVE-2013-6435, CVE-2014-8118
Blocks:
  Show dependency tree
 
Reported: 2017-11-23 20:01 UTC by D'juan McDonald (domhnall)
Modified: 2018-11-28 22:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-11-23 20:01:38 UTC
CVE-2017-7501(https://nvd.nist.gov/vuln/detail/CVE-2017-7501):

It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.

Upstream Patch:https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc

@maintainer(s): after bump, please call for stabilization when ready, thank you.



Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 1 D'juan McDonald (domhnall) 2018-05-28 18:47:59 UTC
-----Begin Update-----

Summary of changes from RPM 4.13.0.2
Security fixes

    Revised fix for CVE-2017-7501 for more robust hardlink handling (RhBug:1514608)

General bugfixes

    Fix file lists getting fed to file triggers multiple times (#370)
    Fix not all %transfiletriggerpostun file triggers executing (RhBug:1514085)
    Fix file triggers executing before file fingerprinting
    Fix file triggers firing on non-installed files
    Fix file signatures failing on hardlinked files (#333)

Package building

    Fix signature header sometimes corrupting main header on > 4GB packages (#379)
    Fix non-standard inherented modes of directories in debuginfo (RhBug:641022)

Internal improvements

    Fix header not available during RPMCALLBACK_ELEM_PROGRESS callback
    Fix header not available during file trigger scriptlet callbacks (RhBug:1485389)
    Fix various file trigger scriptlet diagnostics showing “unknown” + other minor file trigger diagnostic improvements

Build process

    Some new testcases
-----End Update------


Last Modified: March 29, 2018, 5:07:39 AM EDT
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-11-28 22:54:39 UTC
This issue was resolved and addressed in
 GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22
by GLSA coordinator Aaron Bauman (b-man).