From $URL : RPM upstream has corrected the following security issue: [1] https://bugzilla.novell.com/show_bug.cgi?id=796375 Relevant upstream patch: [2] http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43 Affected rpm versions include rpm >= 4.10.0 [3] and < than [2] commit. An attacker could use this flaw to create a syntactically valid rpm package, that could bypass the signature check.
Easy we just bump to 4.10.2. The patch files/rpm-4.8.1-autotools.patch needs to be redone and i aint have the time now, so after/during the weekend maybe.
(In reply to comment #1) > Easy we just bump to 4.10.2. > > The patch files/rpm-4.8.1-autotools.patch needs to be redone and i aint have > the time now, so after/during the weekend maybe. I've managed to find the time to redo the patch. Wouldn't mind someone else verifying though. 4.10.2 is in CVS
@sochotnicky: Seems fine, tested on amd64, ppc, ppc64 and x86, stabled also there.
Thanks, Tomáš and Stanislav. Remaining arches, please test and mark stable =app-arch/rpm-4.10.2
Stable for HPPA.
alpha stable
arm stable
ia64 stable
sparc stable
CVE-2012-6088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6088): The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an "unparseable signature," which allows remote attackers to bypass RPM signature checks via a crafted package.
sh stable
s390 stable
GLSA vote: no.
GLSA vote: no Closing as noglsa