oss-sec mailing list archives
Re: CVE Request -- rpm (X >= 4.10 and X < 3d74c43 commit): Signature checking function returned success on (possibly malicious ) rpm packages
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 03 Jan 2013 11:39:20 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/03/2013 10:30 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, RPM upstream has corrected the following security issue: [1] https://bugzilla.novell.com/show_bug.cgi?id=796375 Relevant upstream patch: [2] http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43 Affected rpm versions include rpm >= 4.10.0 [3] and < than [2] commit. An attacker could use this flaw to create a syntactically valid rpm package, that could bypass the signature check. Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team [3] http://rpm.org/wiki/Releases/4.10.0
Please use CVE-2012-6088 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ5dBYAAoJEBYNRVNeJnmTvyMQALo4kVCZmXqkCeGnhmsgJm40 qXebd64x0dtzul2+TCwE/WHzq859kn5P3GMfMw5xSIcIctx5H4PixJ+gqN0W8reG Wha3cUc3mIrrUYL431wIV4OWwnuFFm18bZv7KNWSrK9jBYvhTShZUWVpkIp3h/Yf C881pStk19vL8OYjCeKfbr6Z8wH7Uo5LcUgtP96uqkCXJcvDHL0jhC8SY3Sc9WVV OLXQPqBimrgJ28iArND2+KNImn8G1IgrtbZ23uRYCePJtljOh+lStBPBZ0996i17 gUdrndqu7+HnaD6Xw/mnCWA4th/9q37Zq+JxftKslD0PJf9ppLHwc0hNbb7ExdFF wPW2NbZgd4SnpQNgltiF6tSU8uUn+TzOEBWdmPn3QAtMUUdIZBD4uTyVcNDu4F6r MdHYxRtKoKhXVeYAOrKub6NDO7Ya58rQRYo4RaoRIHSsDx+ZZYbCsth6XabJu4Kl VdQNTqs4Cs+wpBwZtcnfst/hpdrikTykvn90TEA6KqsSHt2GbKpikg/89UjyN+2/ mrzHYfEYnou4Az5zocZoVfqokCVo6vEBcKWUWKnXWBSJgRfCRunzdCgw4QxOvXQP AeVu/m5zODVXhYFR1jmUFMqQItTjO5q9m72mv8FholvnKaRJtUIImXne1KtI6dhc Owy3zwjbTA+N0Zlwmu4N =/Y2G -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- rpm (X >= 4.10 and X < 3d74c43 commit): Signature checking function returned success on (possibly malicious ) rpm packages Jan Lieskovsky (Jan 03)
- Re: CVE Request -- rpm (X >= 4.10 and X < 3d74c43 commit): Signature checking function returned success on (possibly malicious ) rpm packages Kurt Seifried (Jan 03)
- Re: CVE Request -- rpm (X >= 4.10 and X < 3d74c43 commit): Signature checking function returned success on (possibly malicious ) rpm packages Panu Matilainen (Jan 04)