A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
Note that the patch says it fixes CVE-2021-3421 too, and that doesn't appear
to be public.
Please apply the patch, if suitable.
Release rpm-18.104.22.168 should include those patches.
The bug has been referenced in the following commit(s):
Author: Tony Vroon <email@example.com>
AuthorDate: 2021-04-13 19:16:21 +0000
Commit: Tony Vroon <firstname.lastname@example.org>
CommitDate: 2021-04-13 19:17:12 +0000
app-arch/rpm: Version bump to 22.214.171.124
Switch to new crypto provider libgcrypt, as NSS is deprecated. As flagged
up by Sam James in bug #780684. This has potential to address some test
suite failures, but even with -usersandbox I still drown in a sea of:
mktemp: failed to create file via template
No such file or directory
Addresses CVE-2021-20271, a security vulnerability in the signature check
functionality. Also addresses undisclosed vulnerability CVE-2021-3421.
As flagged up by John "ajak" Helmert III in bug #778533
Signed-Off-By: Tony Vroon <email@example.com>
Package-Manager: Portage-3.0.17, Repoman-3.0.2
app-arch/rpm/Manifest | 1 +
app-arch/rpm/files/rpm-126.96.36.199-libdir.patch | 34 ++++++
app-arch/rpm/rpm-188.8.131.52.ebuild | 148 +++++++++++++++++++++++++++
3 files changed, 183 insertions(+)