Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 450286 (CVE-2012-6088) - <app-arch/rpm-4.10.2: Signature checking function returned success on rpm packages (CVE-2012-6088)
Summary: <app-arch/rpm-4.10.2: Signature checking function returned success on rpm pac...
Status: RESOLVED FIXED
Alias: CVE-2012-6088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-04 19:50 UTC by Agostino Sarubbo
Modified: 2013-08-22 10:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-04 19:50:38 UTC
From $URL :

RPM upstream has corrected the following security issue:
  [1] https://bugzilla.novell.com/show_bug.cgi?id=796375
  Relevant upstream patch:
  [2] http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43

Affected rpm versions include rpm >= 4.10.0 [3] and < than [2] commit.

An attacker could use this flaw to create a syntactically valid rpm
package, that could bypass the signature check.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2013-01-04 20:31:27 UTC
Easy we just bump to 4.10.2.

The patch files/rpm-4.8.1-autotools.patch needs to be redone and i aint have the time now, so after/during the weekend maybe.
Comment 2 Stanislav Ochotnicky (RETIRED) gentoo-dev 2013-01-05 00:01:57 UTC
(In reply to comment #1)
> Easy we just bump to 4.10.2.
> 
> The patch files/rpm-4.8.1-autotools.patch needs to be redone and i aint have
> the time now, so after/during the weekend maybe.

I've managed to find the time to redo the patch. Wouldn't mind someone else verifying though. 4.10.2 is in CVS
Comment 3 Tomáš Chvátal (RETIRED) gentoo-dev 2013-01-05 09:47:35 UTC
@sochotnicky:
Seems fine, tested on amd64, ppc, ppc64 and x86, stabled also there.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-06 17:04:41 UTC
Thanks, Tomáš and Stanislav.

Remaining arches, please test and mark stable =app-arch/rpm-4.10.2
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-01-07 19:23:12 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-20 10:50:26 UTC
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-01-20 17:21:21 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-21 15:02:34 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-01-21 16:21:00 UTC
sparc stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-01-22 12:23:33 UTC
CVE-2012-6088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6088):
  The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does
  not return an error code in certain situations involving an "unparseable
  signature," which allows remote attackers to bypass RPM signature checks via
  a crafted package.
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-08 12:06:53 UTC
sh stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-02-08 14:47:53 UTC
s390 stable
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-22 15:49:00 UTC
GLSA vote: no.
Comment 14 Sergey Popov gentoo-dev 2013-08-22 10:08:22 UTC
GLSA vote: no

Closing as noglsa