410949 – (CVE-2012-0060) <app-arch/rpm-4.9.1.3: Multiple vulnerabilities (CVE-2012-{0060,0061,0815})

Bug 410949 (CVE-2012-0060) - <app-arch/rpm-4.9.1.3: Multiple vulnerabilities (CVE-2012-{0060,0061,0815})

Summary: <app-arch/rpm-4.9.1.3: Multiple vulnerabilities (CVE-2012-{0060,0061,0815})

Status:	RESOLVED FIXED

Alias:	CVE-2012-0060

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-04-05 20:51 UTC by Tim Sammut (RETIRED)
Modified:	2012-06-24 23:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2012-04-05 20:51:58 UTC

Three vulnerabilities have been found in rpm.

CVE-2012-0815 incorrect handling of negated offsets in
headerVerifyInfo()
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e

CVE-2012-0060 insufficient validation of region tags
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29

CVE-2012-0061 improper validation of header contents total size in
headerLoad()
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=472e569562d4c90d7a298080e0052856aa7fa86b
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=858a328cd0f7d4bcd8500c78faaf00e4f8033df6

Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev

2012-06-01 13:59:25 UTC

Added 4.9.1.3 which fixes this stuff.

Comment 2 Tomáš Chvátal (RETIRED) gentoo-dev

2012-06-01 14:01:14 UTC

@arches:

Please stabilise and test app-arch/rpm-4.9.1.3.

The only problem is with the maintainer mode which all rpm versions suffer and I have no clue how to fix. If you figure that please feel free to patch it :-)

Comment 3 Agostino Sarubbo gentoo-dev

2012-06-02 13:37:43 UTC

amd64 stable

Comment 4 Markus Meier gentoo-dev

2012-06-03 18:43:22 UTC

arm stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2012-06-04 09:11:08 UTC

Stable for HPPA.

Comment 6 Thomas Kahle (RETIRED) gentoo-dev

2012-06-04 14:44:13 UTC

x86 stable

Comment 7 Brent Baude (RETIRED) gentoo-dev

2012-06-06 14:08:24 UTC

ppc64 done

Comment 8 Brent Baude (RETIRED) gentoo-dev

2012-06-08 18:00:48 UTC

ppc done

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2012-06-15 18:54:24 UTC

CVE-2012-0815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0815):
  The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a negative value in a region offset of a package header,
  which is not properly handled in a numeric range comparison.

CVE-2012-0061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0061):
  The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not
  properly validate region tags, which allows user-assisted remote attackers
  to cause a denial of service (crash) and possibly execute arbitrary code via
  a large region size in a package header.

CVE-2012-0060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0060):
  RPM before 4.9.1.3 does not properly validate region tags, which allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via an invalid region tag in a package header to the (1)
  headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2012-06-23 17:09:23 UTC

alpha/ia64/s390/sh/sparc stable

Comment 11 Sean Amoss (RETIRED) gentoo-dev

2012-06-23 19:36:27 UTC

Thanks, everyone. Appending to existing GLSA draft.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-06-24 23:08:47 UTC

This issue was resolved and addressed in
 GLSA 201206-26 at http://security.gentoo.org/glsa/glsa-201206-26.xml
by GLSA coordinator Sean Amoss (ackle).