CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. Patch: https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 Note that the patch says it fixes CVE-2021-3421 too, and that doesn't appear to be public. Please apply the patch, if suitable.
Release rpm-4.16.1.3 should include those patches.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e2330f712a1c60bed71abc25eea1f4f499f150 commit 46e2330f712a1c60bed71abc25eea1f4f499f150 Author: Tony Vroon <chainsaw@gentoo.org> AuthorDate: 2021-04-13 19:16:21 +0000 Commit: Tony Vroon <chainsaw@gentoo.org> CommitDate: 2021-04-13 19:17:12 +0000 app-arch/rpm: Version bump to 4.16.1.3 Switch to new crypto provider libgcrypt, as NSS is deprecated. As flagged up by Sam James in bug #780684. This has potential to address some test suite failures, but even with -usersandbox I still drown in a sea of: mktemp: failed to create file via template '/var/tmp/portage/app-arch/rpm-4.16.1.3/temp/rpmXXXXXX': No such file or directory Addresses CVE-2021-20271, a security vulnerability in the signature check functionality. Also addresses undisclosed vulnerability CVE-2021-3421. As flagged up by John "ajak" Helmert III in bug #778533 Bug: https://bugs.gentoo.org/778533 Closes: https://bugs.gentoo.org/780684 Signed-Off-By: Tony Vroon <chainsaw@gentoo.org> Package-Manager: Portage-3.0.17, Repoman-3.0.2 app-arch/rpm/Manifest | 1 + app-arch/rpm/files/rpm-4.16.1.3-libdir.patch | 34 ++++++ app-arch/rpm/rpm-4.16.1.3.ebuild | 148 +++++++++++++++++++++++++++ 3 files changed, 183 insertions(+)
Been a month, let's roll?
Let me know if you need anything; this is good to go as far as I'm concerned.
(In reply to Tony Vroon from comment #4) > Let me know if you need anything; this is good to go as far as I'm concerned. Excellent, thank you!
ppc64 done
ppc done
arm64 done
x86 done
amd64 done
arm done all arches done
Please cleanup.
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-43 at https://security.gentoo.org/glsa/202107-43 by GLSA coordinator John Helmert III (ajak).
Reopening for cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9517266013b80bf8e96445a63cf25e27831eb793 commit 9517266013b80bf8e96445a63cf25e27831eb793 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-07-25 21:25:01 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-26 03:12:57 +0000 app-arch/rpm: drop 4.14.2.1-r1, 4.16.0 Bug: https://bugs.gentoo.org/778533 Bug: https://bugs.gentoo.org/787944 Signed-off-by: John Helmert III <ajak@gentoo.org> app-arch/rpm/Manifest | 2 - app-arch/rpm/files/rpm-4.11.0-autotools.patch | 14 --- app-arch/rpm/files/rpm-4.16.0-libdir.patch | 34 ------ app-arch/rpm/files/rpm-4.9.1.2-libdir.patch | 31 ------ app-arch/rpm/rpm-4.14.2.1-r1.ebuild | 141 ------------------------ app-arch/rpm/rpm-4.16.0.ebuild | 153 -------------------------- 6 files changed, 375 deletions(-)
All done!
