Bug 5375

Summary: rpm new security issues CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, pterjan, sysadmin-bugs, thierry.vignaud, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: rpm-4.8.1-10.3.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-12 16:48:39 CEST 
Mandriva has issued this advisory today (April 12):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:056

The references contain links to RedHat Bugzilla with patches for rpm 4.8.x.
David Walser 2012-04-12 17:59:22 CEST

CC: (none) => dmorganec

David Walser 2012-04-12 17:59:33 CEST

CC: (none) => pterjan

David Walser 2012-04-12 17:59:45 CEST

CC: (none) => thierry.vignaud

Comment 1 David Walser 2012-04-12 18:00:14 CEST 
Just FYI, I checked the RedHat patches and they apply cleanly.
Comment 2 David Walser 2012-04-14 02:40:06 CEST 
Patched package uploaded.

Advisory:
========================

Updated rpm packages fix security vulnerabilities:

Multiple flaws were found in the way RPM parsed package file
headers. An attacker could create a specially-crafted RPM package that,
when its package header was accessed, or during package signature
verification, could cause an application using the RPM library
to crash or, potentially, execute arbitrary code (CVE-2012-0060,
CVE-2012-0061, CVE-2012-0815).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0815
https://bugzilla.redhat.com/show_bug.cgi?id=744104
https://bugzilla.redhat.com/show_bug.cgi?id=744858
https://bugzilla.redhat.com/show_bug.cgi?id=798585
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:056
========================

Updated packages in core/updates_testing:
========================
rpm-4.8.1-10.4.mga1
librpm1-4.8.1-10.4.mga1
librpm-devel-4.8.1-10.4.mga1
rpm-build-4.8.1-10.4.mga1
python-rpm-4.8.1-10.4.mga1

from rpm-4.8.1-10.4.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2012-04-21 00:22:34 CEST 
I saw QA asking why rpm is in updates_testing in IRC.  This bug is already assigned to qa-bugs, so I hope you all see this.
Comment 4 Dave Hodgins 2012-04-21 02:44:38 CEST 
Thanks.  Somehow I had missed this one.

Testing complete on i586 for the srpm
rpm-4.8.1-10.4.mga1.src.rpm

I've been using it for 5 days now, without any problems.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2012-04-21 10:19:27 CEST 
Thanks David. I didn't see it either :\

No PoC's and no regressions noticed in use.

Testing complete x86_64

Validating

Could sysadmin please push from core/updates_testing to core/updates

See comment 2 for Advisory and SRPM

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 6 Thomas Backlund 2012-04-22 19:23:52 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED